JP7280285B2 - Efficient simultaneous scalar product computation - Google Patents

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application is a nonprovisional patent application of U.S. patent application Ser. The entirety is incorporated herein by reference.

In many cases, computers can simply send data to each other for comparison, especially if the data is not private. For example, a user may want to check whether local software is up-to-date (ie, is the software the latest stable version of that software available). A user may be okay with sending data about the software to an external server for comparison. However, in some cases, especially if they contain personal data or personally identifiable information (e.g., medical records, payment account numbers, biometrics), the User may be advised that an external computer is manipulated by unauthorized or malicious users or organizations. You may not want to send that data to another external computer for fear that it may be compromised.

Fortunately, there are techniques, such as secure multi-party computation techniques, that allow multiple computers to compare data and perform computations without revealing each other's data. Unfortunately, these techniques are often slow, complex, and require extensive computational operations. If the participating computers have poor connectivity, the probability of secure multiparty computation failure is significantly increased. Moreover, the large number of communication and computing operations makes such protocols unsuitable for time-sensitive applications and low-performance computing environments.

Embodiments individually and collectively address these and other issues.

Embodiments of the present invention are directed to methods and systems for safely and simultaneously computing the scalar product (or "dot" product) of two vectors. A first computer and a second computer can have first and second vectors, respectively, without the first computer revealing the first vector to the second computer and the second computer can simultaneously compute the scalar product of the first and second vectors without revealing the second vector to the first computer. Each computer can compare the scalar product or a value derived from the scalar product to a predetermined threshold. The first computer and the second computer can interact with each other provided that the scalar product or the value derived from the scalar product exceeds a predetermined threshold. For example, an interaction can include a second computer issuing an access token to a first computer.

By way of example, the biometric authorization system (second computer) uses biometric vectors (i.e., vectorized biometric instance) can be compared to a biometric vector stored on a second computer, and the second computer, if the biometrics match, sends an access token (a payment token, or tokens, etc.) can be issued. However, if the second computer doesn't want to give the user a copy of the stored biometric vector, as the user could be a fraudster trying to steal the biometric vector to perform impersonation. There is Similarly, the user may not want to pass a copy of the biometric vector to the second computer, as the second computer may be manipulated by fraudsters. Embodiments can be used to compute a scalar product and use the scalar product to perform a comparison of two biometric instances, where a user discloses their respective biometric vectors to a second computer. and without the second computer disclosing its respective biometric vector to the user. In this way users can be authorized without the risk of exposing confidential data.

Embodiments provide improvements over conventional systems. Because embodiments allow scalar products to be computed without performing as much communication between computers or entities, resulting in increased speed and reliability. In an embodiment of the present disclosure, the first computer and the second computer compute scalar products simultaneously, and both the first computer and the second computer compute the squared magnitude of the first vector α, and the second The magnitude of the square of the vector β of , need not be transmitted to the other computer either. This reduces the number of messages sent between computers, making the protocol faster, more efficient, and more reliable than traditional systems.

One embodiment provides, by a first computer, a second computer with a first public key, a second public key, a first encrypted masked vector, and a first encrypted transmitting a random vector, wherein the first encrypted masked vector is the first masked vector encrypted using the first public key; The encrypted random vector is the first random vector encrypted using the second public key, sending and sending, by the first computer, from the second computer, the third a fourth public key, a second encrypted masked vector, and a second encrypted random vector, wherein the second encrypted masked is the second masked vector encrypted using the third public key, and the second encrypted random vector is encrypted using the fourth public key receiving a third permuted encrypted difference vector and a fourth permuted encrypted difference vector from the second computer by the first computer, which is a second random vector obtained by a third permuted encrypted difference vector encrypted using the first public key, permuted using the third permutation, and The four permuted encrypted difference vectors are encrypted using the second public key and permuted using the fourth permutation; generating a third permuted difference vector by decrypting the third permuted encrypted difference vector using the first private key corresponding to the one public key; a fourth permuted difference vector by decrypting the fourth permuted encrypted difference vector using a second private key corresponding to the second public key, by a computer; generating a vector based on the first masked vector, the first random vector, the third permuted difference vector and the fourth permuted difference vector and the second computing the scalar product of the vectors of .

Another embodiment is directed to a first computer that includes a processor and a non-transitory computer-readable medium coupled to the processor that includes code executable by the processor to perform the methods described above.

These and other embodiments are described in detail below. A better understanding of the nature and advantages of the embodiments may be obtained with reference to the following detailed description and accompanying drawings.
conditions

A "server computer" may include a powerful computer or computer cluster. For example, a server computer can be a large mainframe, a minicomputer cluster, or a group of servers functioning as a unit. In one example, the server computer can be a database server coupled to a web server. A server computer may include one or more computing devices and may employ any of a variety of computer structures, arrangements and compilations to service requests from one or more client computers.

A "memory" may be any suitable device or devices capable of storing electronic data. Suitable memory may include non-transitory computer-readable media storing instructions that may be executed by a processor to perform a desired method. Examples of memory may include one or more memory chips, disk drives, and the like. Some memories may operate using any suitable electrical, optical, and/or magnetic mode of operation.

"Processor" can refer to any suitable data computing device or devices. A processor may comprise one or more microprocessors working together to achieve the desired functionality. The processor may include a CPU with at least one high speed data processor suitable for executing program components that carry out user and/or system generated requests. The CPUs may be AMD Athlon, Duron, and/or Opteron, IBM and/or Motorola PowerPC, IBM and Sony Cell processors, Intel Celeron, Itenium, Pentium, Xeon, and/or XScale, and/or the like. It may be a microprocessor such as a processor.

A "secure element" can refer to a component that can securely perform a function. A secure element may be a memory that securely stores data such that access to the data is protected. Examples of "secure elements" are the processor's Trusted Execution Environment (TEE), a secure region. Another example of a secure element is a Universal Integrated Circuit Card (UICC), a secure smart card. Additional examples of secure elements are embedded secure elements, embedded hardware components of larger mechanical or electrical systems.

を有し得る。ベクトルの構成要素は、ラベルと関連付けられてもよく、例えば、第二の例示的なベクトル

は、三つの構成要素：

を有し得る。数学的演算は、ベクトルに適用されてもよく、例えば、二つのベクトルは、加算されてもよく、または互いに減算されてもよい。「ランダムなベクトル」は、例えば、乱数発生器または疑似乱数発生器を使用して、ランダムまたは疑似ランダムに生成された構成要素の順番付けられたリストを指してもよい。「差分ベクトル」は、例えば、二つのベクトル間の差に等しいベクトルを指してもよく、例えば：

「マスクされたベクトル」は、ベクトルとランダムベクトルとのベクトル和を指してもよい。「ベクトル化」という用語は、データのセットがベクトルに変換される任意のプロセス、例えば、人の身長、体重、および年齢が、その人の身長、体重、および年齢に対応する構成要素を含むベクトルに変換されるプロセスを指す場合がある。 A "vector" may refer to an ordered list of components. The components of the vector may be numeric values, for example, an exemplary vector has three components:

can have Components of the vector may be associated with labels, e.g., the second exemplary vector

has three components:

can have Mathematical operations may be applied to vectors, for example two vectors may be added or subtracted from each other. A "random vector" may refer to an ordered list of components that is randomly or pseudorandomly generated using, for example, a random number generator or pseudorandom number generator. A "difference vector" may, for example, refer to a vector equal to the difference between two vectors, such as:

A "masked vector" may refer to a vector sum of a vector and a random vector. The term "vectorization" refers to any process by which a set of data is transformed into a vector, e.g., a vector whose height, weight, and age of a person contains components corresponding to that person's height, weight, and age It may refer to the process of being converted to

"Permutation" can refer to the way something can be ordered or arranged. The term "permuted" can indicate that something has been ordered or arranged through permutations. For example, a permuted vector may refer to a vector rearranged according to the permutation.

"User" refers to a person or thing that uses another for some purpose. Users may include individuals who may be associated with one or more personal accounts and/or user devices. A user may also be referred to as a cardholder, account holder, or consumer in some embodiments.

A "resource" may refer to anything that may be used by or transferred between entities. Examples of resources include access to goods, services, information, and/or restricted locations.

A "resource provider" can refer to an entity that can provide resources. Examples of resource providers include retailers, government agencies, and the like. A resource provider can operate the resource provider's computer.

A "communication device" may include any suitable device capable of providing remote or direct communication capabilities. Examples of telecommunications capabilities include cellular (wireless) networks, wireless data networks (eg, 3G, 4G or similar networks), Wi-Fi, Wi-Max, or access to networks such as the Internet or private networks. It includes using any other communication medium that can be provided. Examples of communication devices include desktop computers, video game consoles, mobile phones (eg, cell phones), PDAs, tablet computers, netbooks, laptop computers, personal music players, handheld dedicated readers, smart cards, and the like. Further examples of communication devices include wearable devices such as smart watches, fitness bands, ankle bracelets, rings, earrings, as well as automobiles with remote or direct communication capabilities.

"Interaction" may refer to an interaction, effect or influence. For example, an interaction can be an exchange or transaction between two or more parties.

An "access terminal" may be any suitable device that provides access to a remote system. Access terminals may also be used to communicate with retailer computers, transaction processing computers, authentication computers, or any other suitable system. Access terminals may generally be located at any suitable location, such as retailer locations. Access terminals may be of any suitable form. Some examples of access terminals include point-of-sale (e.g., POS) terminals, mobile phones, PDAs, personal computers (PCs), tablet PCs, handheld dedicated readers, set-top boxes, electronic cash registers (ECRs), cash Including automated teller machines (ATMs), virtual cash registers (VCRs), kiosks, security systems, access systems and the like. The access terminal can transmit data to, or receive data associated with, a user's mobile device using any suitable contact or contactless mode of operation. In some embodiments where the access terminal may comprise a POS terminal, any suitable POS terminal may be used and the terminal may include a reader, a processor, and a computer readable medium. The reader can include any suitable contact or contactless mode of operation. For example, exemplary card readers may include radio frequency (RF) antennas, optical scanners, barcode readers or magnetic stripe readers to interact with payment devices and/or mobile devices. In some embodiments, a cell phone, tablet, or other dedicated wireless device used as a POS terminal may be referred to as a mobile point of sale terminal, or "mPOS" terminal.

"Access network" can refer to the network associated with an access terminal. An access network may include an array of devices that support access terminals by providing a number of required functions. For example, an access network may be an array of antennas or beacons (such as Wi-Fi or Bluetooth beacons) designed to communicate with a collection of mobile devices on behalf of access terminals. Access networks may include local area networks, wide area networks, or networks such as cellular networks or the Internet.

The term "biometric instance" can include information related to a biological observation. A biometric instance may include biometric data corresponding to a biometric sample or a biometric template derived from a biometric sample or biometric data. A biometric instance can be used to verify a user's identity. A biometric instance may be captured via a biometric interface, which is the hardware used to capture the biometric instance. For example, a biometric instance may be captured via a biometric interface such as an iris scanner with an infrared light source and camera. Examples of biometric instances include a digital representation of an iris scan (such as a binary code representing the iris), fingerprints, voice recordings, face scans, and the like. The biometric instance may be stored in encrypted form and/or in secure memory of the mobile device.

The term "cryptographic key" can refer to anything used in encryption or decryption. For example, a cryptographic key can refer to the product of two large prime numbers. A cryptographic key serves as an input to a cryptographic process or cryptosystem, such as RSA or AES, and can be used to encrypt plaintext to produce a ciphertext output or decrypt ciphertext to produce a plaintext output. can be done.

The term "plaintext" can refer to text in plain form. For example, plaintext can refer to sentences that can be read by humans or computers without any processing, such as the phrase "Hello, how are you?" It can also refer to text in unencrypted form. Numbers and other symbols may also be considered plaintext.

The term "ciphertext" can refer to text that is in encrypted form. For example, this could refer to text that needs to be decoded before it can be understood by humans or computers. The ciphertext can be generated with any number of encryption algorithms, such as RSA and AES.

An "acquirer" may generally be a business entity (eg, commercial bank) that has a business relationship with a particular retailer or other entity. Some entities may perform the functions of both issuer and acquirer. Some embodiments may include such a single entity issuer acquirer. Acquirers may operate acquirer computers, which may also be collectively referred to as "transport computers."

An "authorizing entity" may be the entity that authorizes the request. Examples of authorized entities may include issuers, government agencies, archives, access managers, and the like. "Issuer" may generally refer to the business entity (eg, bank) that holds the account for the user. The issuer can also issue the consumer a proof of payment stored on a mobile device such as a cell phone, smart cart card, tablet, or laptop. Approved Entities can operate Approved Computers.

"Authentication data" may include any data suitable for proving that something is true and valid. Authentication data may be obtained from the user or a device operated by the user. Examples of authentication data obtained from the user may include a PIN (personal identification number), password, and the like. Examples of authentication data that may be obtained from a mobile device may include device serial number, hardware security element identifier, device fingerprint, phone number, IMEI number, biometric instance stored on the mobile device, and the like.

A "payment device" may include any suitable device that can be used to conduct a financial transaction, such as providing proof of payment to a retailer. A payment device may be a software object, a hardware object, or a physical object. By way of example of a physical object, the payment device includes a substrate such as a paper or plastic card and information printed, embossed, encoded or otherwise contained on or near the surface of the object. can include Hardware objects may relate to circuits (eg, permanent voltage values) and software objects may relate to non-permanent data stored on the device. A payment device may be associated with a value such as a monetary value, discount, or store credit, and a payment device may be associated with an entity such as a bank, retailer, payment processing network, or person. A payment device can be used to make payment transactions. A suitable payment device may be handheld and compact such that it can fit in a user's purse and/or pocket (eg, pocket-sized). Examples of payment devices include smart cards, magnetic stripe cards, keychain devices (such as the Speed-pass™ available from Exxon-Mobil Corp.), and the like. Other examples of mobile devices include pagers, payment cards, security cards, access cards, smart media, transponders, and the like. If the payment device is in the form of a debit, credit or smart card, the payment device may optionally also have features such as a magnetic stripe. Such devices can operate in both contact and contactless modes. In some embodiments, the mobile device can act as a payment device (eg, the mobile device can store and transmit payment certificates for transactions).

A "certificate" may be any suitable information that serves as reliable proof of value, ownership, identity, or authority. An "access credential" may be a credential that can be used to gain access to a particular resource (eg, goods, services, places, etc.). A certificate may be a string of numbers, letters, or any other suitable symbols, or any object or document capable of serving as a verification. Examples of credentials include ID cards, authentication documents, access cards, passcodes and other login information, payment account numbers, access badge numbers, payment tokens, access tokens, and the like.

A "payment certificate" may include any suitable information associated with an account (eg, payment account and/or payment device associated with the account). Such information may be directly related to the account or may be derived from information related to the account. Examples of account information include PAN (primary account number or "account number"), username, expiration date, CVV (card verification value), dCVV (dynamic card verification value), CVV2 (card verification value 2), etc. can be A payment certificate may be any information that identifies or is associated with a payment account. A payment certificate may be provided for making payments from a payment account. The payment certificate may also include the username, expiration date, gift card number or code, and any other suitable information.

A "token" may be a replacement value for a genuine certificate. A token may be a type of certificate and may be a string of numbers, letters, or any other suitable symbol. Examples of tokens include payment tokens, access tokens, personal identification tokens, and the like.

A "payment token" may include an identifier for a payment account that is an alternative to an account identifier such as a primary account number (PAN). For example, a token may include a string of alphanumeric characters that can be used as a replacement for the original account identifier. For example, the token "4900 0000 0000 0001" may be used instead of the PAN "4147 0900 0000 1234". In some embodiments, tokens may be "format preserving" and may have a numeric format (eg, ISO 8583 financial transaction message format) that conforms to account identifiers used in existing transaction processing networks. In some embodiments, the token is used to initiate, authorize, settle or settle payment transactions, or to represent the original certificate in other systems where the original certificate would normally be provided. It may be used instead of PAN. In some embodiments, the token value may be generated such that recovery of the original PAN or other account identifier from the token value is not computationally derived. Further, in some embodiments, the token format may be configured to allow the entity receiving the token to identify it as a token and recognize the entity that issued the token.

An "approval request message" may be an electronic message sent to request approval for a transaction. In some embodiments, an "authorization request message" may be an electronic message sent to a payment processing network and/or payment card issuer requesting authorization for a transaction. Authorization request messages according to some embodiments may comply with ISO 8583, a standard for systems for exchanging electronic transaction information associated with payments made by consumers using payment devices or payment accounts. The authorization request message may include an issuer account identifier, which may be associated with the payment device or payment account. The Authorization Request message may also include additional data elements corresponding to "Identification Information" including, by way of example only, service code, CVV (card verification value), dCVV (dynamic card verification value), expiration date, etc. can. The authorization request message also includes information associated with the current transaction, such as transaction amount, retailer identifier, retailer location, as well as any other information that may be utilized in determining whether to identify and/or approve the transaction. It may also include "transaction information" such as arbitrary information.

An "approval response message" may be an electronic message in response to an approval request message. The electronic message may be generated by the issuing financial institution or payment processing network. The acknowledgment response message may include one or more of the following status indicators, by way of example only. Authorization—Transaction has been authorized. Rejected—The transaction was not authorized. Alternatively, the call center-response is pending more information and the retailer should call a toll-free approved phone number. The authorization response message may also include an authorization code, whereby the credit card issuing bank, in response to the authorization request message, sends an electronic message (direct or payment (either via a processing network). The code can serve as proof of authorization. As noted above, in some embodiments, the payment processing network may generate an authorization response message or forward the authorization response message to the retailer.

A "device code" or "device identifier" may be a code specifically associated with a device (eg, only one device). The device code can be any device-specific, including but not limited to one or more of a Secure Element Identifier (SE ID), IMEI number, phone number, geographic location, device serial number, device fingerprint, etc. can be derived from information. Such code may be derived from such information using any suitable mathematical operation, including hashing and/or encryption. A device code may include any suitable number and/or types of symbols.

FIG. 1 shows a block diagram of an exemplary system, according to some embodiments of the invention. FIG. 2 illustrates a block diagram of an exemplary first computer according to some embodiments. FIG. 3 illustrates a block diagram of an exemplary second computer according to some embodiments. FIG. 4 outlines a flow chart of a method for computing the scalar product of two vectors and performing an interaction, according to some embodiments. FIG. 5 shows a flowchart of the setup stage, part of a method for computing the scalar product of two vectors, according to some embodiments. FIG. 6 shows a flowchart of the intermediate computation stages that are part of a method for computing the scalar product of two vectors, according to some embodiments. FIG. 7 shows a flowchart of the scalar product calculation stage, which is part of a method for calculating the scalar product of two vectors, according to some embodiments. FIG. 8 illustrates a first exemplary interaction involving a payment transaction between a first computer user and a resource provider. FIG. 9 illustrates a second exemplary interaction involving a building entry authentication process between the user of the first computer and the resource provider.

Since the embodiments are directed to privacy-preserving methods and systems for computing the scalar product of two vectors, a simple primer on vectors may be useful to better understand the embodiments.

である。ベクトルは、他の変数が従う多くの数学的関係に従う。例えば、類似したベクトルは、互いに加算または減算することができる。 The term vector has different meanings throughout science, but generally a vector refers to an ordered list of components. In some cases, vectors may also be expressed as paired magnitudes and angles or directions. For example, the vector (1 mile north, 1 mile west) indicates that the straight line path between the first point in space and the second point in space is exactly 1 mile north and 1 mile west of the first point. represents something. This vector may alternatively be expressed as (magnitude 1.414 miles, direction 45 degrees), representing that the vector is oriented 1.414 miles and 45 degrees clockwise from north. Both representations are equivalent because they describe the same path. As variables in mathematical equations, vectors are often represented by symbols with arrows on top. for example,

is. Vectors obey many mathematical relationships that other variables obey. For example, similar vectors can be added or subtracted from each other.

Many forms of data can be vectorized, ie transformed into vectors or represented by vectors. As an example, an individual's health statistics (eg, height, weight, age) may be represented by a vector such as (height 68 inches, weight 140 pounds, age 25). Vectorization is useful because data can be objectively compared using vector operations that can be rapidly performed by a computer.

For example, one way to compare two data sets is to vectorize each data set and determine the angle between the two vectors. Similar vectors have small angles between them, while different vectors have large angles between them. The angle between two identical vectors (e.g. (1 mile north, 0 miles west) and (1 mile north, 0 miles west)) is zero, but the angle between two orthogonal vectors (e.g. (1 mile north, 0 miles west) is zero). mile) and (0 miles north, 1 mile west)) are 90 degrees between them, and two opposite vectors (e.g., (1 mile north, 0 miles west) and (1 mile south, West 0 miles)) are 180 degrees between them. The angle between two vectorized data sets (e.g., a health statistic corresponding to a first person and a health statistic corresponding to a second person), or between two vectorized data sets A trigonometric function of angles (eg, cosine) can be used as a similarity or dissimilarity metric to assess the similarity or dissimilarity between those two data sets.

Similarly, vector operations such as scalar product can be used to assess similarity or dissimilarity between two vectors. A scalar product of two vectors can be calculated by multiplying each component of the first vector by the corresponding component of the second vector and summing the results. i.e.

である。

is.

と

のスカラー積は、以下に等しい。 As an example,

and

The scalar product of is equal to

The scalar product is useful, among other reasons, because it is proportional to the angle between the two vectors, as shown by the following equation:

はベクトル

の大きさ（すなわち、「サイズ」）であり、

はベクトル

の大きさであり、θは二つのベクトル間の角度である。したがって、二つのベクトル化されたデータのセットのスカラー積を使用して、これらのデータのセット間の類似性または相違性を判定することができる。 During the ceremony,

is a vector

is the magnitude (i.e., "size") of

is a vector

is the magnitude of , and θ is the angle between the two vectors. Thus, the scalar product of two vectorized data sets can be used to determine similarities or dissimilarities between these data sets.

Vectorization can be used to simplify or accelerate comparisons of data such as biometrics. In one example, the captured biometric can be compared to biometrics or biometric templates stored in a database to identify or authenticate the person corresponding to the biometric. One example is fingerprinting. In fingerprinting, an image of a person's fingerprint is captured (biometric) and compared to fingerprints stored in a fingerprint database to identify that person. If the captured fingerprint and the fingerprint stored in the fingerprint database are vectorized, use vector operations such as computing the scalar product of the captured vectorized fingerprint and the vectorized fingerprint stored in the database to determine if the captured fingerprint matches the set of fingerprints stored in the fingerprint database.

The exact method of vectorizing biometrics or biometric templates is outside the scope of this disclosure. However, the following example is provided to illustrate how exemplary biometrics can be vectorized.

An iris code (typically a biometric containing 256 bytes that can be used to perform iris recognition) can be vectorized by converting it into a vector with 256 components, each component corresponds to one byte of the corresponding iris code. Alternatively, convert the iris code into a binary vector containing 2048 components each containing 1 bit of the corresponding iris code, or alternatively 128 iris codes, each corresponding to 2 bytes of the corresponding iris code. It can be converted to a vector with components. There are many ways biometrics such as iris codes can be converted to vectors, and other biometrics (eg, fingerprints, face scans, etc.) can be converted to vectors using similar methods.

While there are many methods and techniques for biometrics, vectorization, and other methods of comparison, few are oriented toward preserving subject privacy. As an example, when getting a fingerprint scan, it is typically necessary to provide that fingerprint (biometric) to an entity (e.g., law enforcement) in order to compare it with fingerprints stored in a database. However, this exposes the person to the risk of impersonation. By impersonating a legitimate business entity, a fraudster can request the person's biometrics as part of a seemingly legitimate authentication request (eg, via an email phishing attack). Fraudsters use these biometrics to impersonate the person as part of their impersonation scheme.

However, embodiments of the present disclosure provide for two entities (e.g., a user and two computers such as a smart phone belonging to a remote server) without either entity revealing its respective biometrics to the other entity. to compute the scalar product of two vectors (eg, two vectorized biometrics). As such, the remote server can determine whether a person's biometric matches a biometric stored in the biometric database without actually receiving the person's biometric itself. As a result, information security is reliably improved, and measures to prevent impersonation techniques such as those described above are taken.

Embodiments achieve this using additive homomorphic encryption using cryptosystems such as the Paillier cipher. Additive homomorphic encryption allows participating entities to compute the sum of encrypted data without first decrypting the data. Specifically, in the Paillier cipher, the product of two ciphertexts (ie, encrypted data) equals the encrypted sum of the corresponding plaintexts.

Embodiments of the present disclosure take advantage of this property to allow two computers to compute the scalar product of two vectors while the components of the vectors are encrypted. The private key used to decrypt the vector is known only by the respective entity (i.e. the first computer knows the private key unknown to the second computer and vice versa). ), each entity can compute the scalar product of its two vectors while preventing other entities from knowing its vectors.

FIG. 1 shows a block diagram of an exemplary system 100 including a first computer 102, a second computer 104, a resource provider computer 106, and a user 108. As shown in FIG. Computers in system 100 may operatively communicate with each other via one or more communication networks.

Communications networks may take any suitable form, including direct interconnection, the Internet, local area networks (LANs), metropolitan area networks (MANs), Operating Missions as Nodes on the Internet. Internet (OMNI)), a secured custom connection, Wide Area Networks (WAN), (e.g., Wireless Application Protocol (WAP), I-Mode, and/or the like) using protocols such as but not limited to wireless network and/or the like and/or any combination thereof. Messages between entities, providers, users, devices, computers, and networks are processed using File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), Secure Hypertext Transfer Protocol (HTTPS), Secure Sockets Layer (SSL), ISO (such as ISO 8583) and/or using a secure communication protocol such as, but not limited to, the like.

A method according to an embodiment allows first computer 102 and second computer 104 to each compute first vector 102A and second vector 102A without revealing their respective vectors or computed scalar products to the other computer. Allows to compute the scalar product of vector 104A. Through a series of steps described below with reference to FIGS. 4-7, the first computer 102 and the second computer 104 communicate with the first vector 102A and the second computer 104. Information can be prepared and exchanged that allows the scalar product of vector 104A to be calculated simultaneously. Each of the first computer 102 and the second computer 104 can simultaneously compare the calculated scalar product or a value derived from the scalar product (eg, the angle between two vectors) to a predetermined threshold. The first computer 102 and the second computer 104 may interact with each other if the scalar product of the values derived from the scalar product exceeds a predetermined threshold. This interaction may further include resource providers who may own or operate resource provider computers 106 .

Exemplary interactions are described in more detail below with reference to FIGS. In general, comparing the scalar product or a value derived from the scalar product to a predetermined threshold may be performed as part of an authentication procedure and if authentication is successful (i.e. value exceeds a predetermined threshold), an interaction may take place. For example, a first vector 102A is a biometric vector stored on a first computer 102 corresponding to user 108 (e.g., a smart phone owned by user 108), and a second vector 104A is a second If the biometric vector corresponding to user 108 stored in computer 104 (e.g., the biometric vector on file corresponding to user 108), use the scalar product of first vector 102A and second vector 104A. user 108 may be authenticated. Once the user 108 is authenticated, interactions such as payment transactions between the user 108 and the retailer (ie, resource provider operating resource provider computer 106) can occur.

FIG. 2 shows an exemplary first computer 200 according to some embodiments. Specifically, FIG. 2 shows a first computer 200 as a mobile device (eg, smart phone). However, it should be understood that the first computer 200 may take many forms, such as any suitable communication device defined above in the Terminology section.

First computer 200 may include circuitry used to enable certain device functions, such as wireless communication or telephony. Functional elements for enabling these functions may include a processor 202 capable of executing instructions to perform the functions and operations of the device. Processor 202 may access data storage 210 (or another suitable memory area or element) to obtain instructions or data used to execute instructions. A data input/output element 206 such as a keyboard or touch screen may be used to allow the user to operate the first computer 200 (e.g., allow the user to navigate to the Mobile Wallet application 214). do). Data input/output 206 may also be configured to output data (eg, via speakers). Display 204 can also be used to output data to the user. Communication element 208 enables data transfer between first computer 200 and a wired or wireless network (eg, via antenna 224) and may be used to enable data transfer functions, such as the Internet or It may also be used to help connect to other networks. The first computer 200 may also include a contactless element interface 220 that allows data transfer between a contactless element 222 and other elements of the device. Contactless elements 222 may include secure memory and near field communication data transfer elements (or another form of short range communication technology). As previously mentioned, cell phones, smart phones, wearable devices, laptop computers, or other similar devices are examples of mobile devices and thereby examples of first computers according to embodiments.

Data storage 210 may comprise computer readable media that may also include a number of software modules such as communication module 212 , mobile wallet application 214 , biometric application 216 , and scalar product calculation module 218 .

Communications module 212 may include code that enables processor 202 to implement or enable communications between first computer 200 and other devices, such as other mobile devices, access terminals, or second computers. Communication module 212 may allow communication according to any suitable protocol, such as TCP, UDP, IS-IS, OSPF, IGRP, EIGRP, RIP, BGP. It may enable secure communications by enabling processor 202 to establish secure or encrypted communication channels between first computer 200 and other devices. For example, communication module 212 may include code executable by processor 202 to perform a key exchange (such as a Diffie-Hellman key exchange) between mobile device 200 and another device. Communication module 212 further permits the transmission of encrypted or unencrypted vectors and cryptographic keys, as well as the transmission of access tokens, including payment tokens, to other devices such as access terminals. obtain.

Mobile wallet application 214 may include code that enables first computer 200 to manage tokens. For example, mobile wallet application 214 may include code that enables processor 202 to retrieve access tokens stored in secure memory 222 via contactless element interface 220 . The mobile wallet application 214 displays any suitable token information to the first computer 200, such as the date and time the access token was provisioned, the alias or identifier of the access token, and the date and time of the most recent interaction or transaction involving the access token. It may further include code for enabling. Additionally, mobile wallet application 214 may include code that enables processor 202 to display a graphical user interface (GUI) that allows a user to enable token-related functionality. Additionally, mobile wallet application 214 may include code that enables first computer 200 to transmit tokens to access terminals, for example, during transactions with retailers.

Biometric application 216 may include code that enables first computer 200 to capture biometric instances via data input/output 206 . For example, during the registration process (such as the registration phase 402 from FIG. 4 described in more detail below), the first computer 200 uses a data input/output element 206, such as a camera, to capture a biometric, such as a face scan. May be used to capture authentication instances. Biometric application 216 may be used to capture this biometric instance and store it on secure memory 220 in either encrypted or unencrypted form. Biometric application 216 may further include code or instructions executable by processor 202 to vectorize biometric instances, ie, generate biometric vectors corresponding to these biometric instances. Biometric application 216 may also include code or instructions executable by processor 202 for participating in a biometric-based interaction system, such as a biometric-based transaction system. These codes or instructions may include code for performing functions such as communicating with an access terminal and transmitting a biometric vector to the access terminal.

Scalar product computation module 218 may include code or instructions executable by processor 202 to perform a privacy-preserving computation of a scalar product of two vectors, according to some embodiments. These methods can be better understood with reference to FIGS. 4-7 below. The code or instructions may include, among others, random number or random vector generation, masked vector generation, private cryptographic keys (additive homomorphic cryptography such as Paillier keys), as described below with reference to FIGS. encryption and decryption of vectors, generation of negation vectors, permutation of difference vectors, computation of magnitude squared, and computation of the scalar product of two vectors.

FIG. 3 illustrates an exemplary second computer 300 according to some embodiments of the disclosure. Second computer 300 may comprise processor 302 , communication interface 304 , and computer readable media 306 . Computer readable medium 306 may comprise a number of software modules including communication module 308, registration module 310, scalar product calculation module 312, interaction module 314, and vector database 316, among others.

Processor 302 may be any suitable processing unit or device described in the Terminology section above. Communication interface 304 may comprise a network interface that allows second computer 300 to communicate with other computers or systems (eg, the first computer) over a network such as the Internet.

Communications module 308 may comprise code or software executable by processor 302 to establish communications between second computer 300 and other entities, including the first computer. By way of example, communication module 308 may comprise code that enables the generation of UDP (User Datagram Protocol) or TCP (Transmission Control Protocol) packets, or any other suitable form of network communication. Second computer 300 may use communication module 308 to send and receive data from an entity, such as the first computer. These data may include encrypted, permuted, or otherwise vectors, as described with reference to first transmission stage 406 and second transmission stage 408 of FIG. and cryptographic keys.

Enrollment module 310 may include code that allows a user (eg, user 108 in FIG. 1) to enroll in a vector-based authentication system, such as a biometric vector authentication system. In some methods according to embodiments, registration may be optional. Accordingly, registration module 310 may be optional as well. Registration module 310 may include code that enables second computer 300 to associate a biometric vector corresponding to a user or first computer with an ID of a user or an identifier corresponding to the user. For example, registration module 310 may include code that allows second computer 300 to associate a biometric vector corresponding to an iris scan with user "John Doe." Registration module 310 may additionally include code that enables second computer 300 to store an exemplary biometric vector in association with an identifier corresponding to “John Doe” in biometric database 316 . Later, a first computer (e.g., John's smart phone) corresponding to "John Doe" and a second computer 300 are stored in biometric database 318 to authenticate John Doe and perform interactions. A privacy preserving scalar product of the biometric vector and the biometric vector stored on the first computer can be performed.

Scalar product calculation module 312 may include code executable by processor 302 to perform privacy-preserving scalar product calculations, according to some embodiments. The privacy preserving scalar product computation can be better understood with reference to the flowcharts of FIGS. 4-7. The scalar product calculation module 312 performs, in addition to the mathematical operations used to calculate vector sums, vector dissimilarities, and vector magnitudes or squared magnitudes, as described below: It may contain code that allows the generation of random vectors, masked vectors, encryption keys, permuted vectors, and the like.

Interaction module 314 may comprise code executable by processor 302 to effect interaction with the first computer. This interaction may include, for example, authenticating the first computer to the resource provider so that the first computer or a user associated with the first computer may access the resource. For example, the resource provider may be a retailer, the resource may be a product or service that the customer wishes to purchase, the first computer may be a smart phone owned by the customer, the Second computer 300 may be a server computer associated with a payment processing network. The interaction may include finalizing a payment transaction between the user and the retailer, and the interaction module 314 is executable by the processor 302 to finalize the payment transaction between the user and the retailer. May contain code.

As a second exemplary interaction, a resource provider may be a computer system that controls access to a building through a locked computerized door. The interaction between the first computer and the second computer 300 may be, for example, by sending a control signal to the resource provider's computer instructing it to open the door, or causing the resource provider's computer to open the door. 2, enabling the owner of the first computer to access the building by providing the first computer with an access token or another credential that the first computer can provide to the resource provider's computer; A second computer may be provided.

Vector database 316 may comprise any suitable database, file, or memory structure containing vectors. These vectors may include, for example, biometric vectors corresponding to multiple registered users. The second computer 300 may obtain a vector from the vector database 316 to compute the scalar product of that vector with another vector corresponding to the first computer.

および第二のベクトル

のスカラー積を計算する方法４００のフローチャート概要を示す。方法は、登録段階４０２、セットアップ段階４０４、第一の伝送段階４０６、中間計算段階４０８、第二の伝送段階４１０、スカラー積計算段階４１２、および相互作用段階４１４の七つの段階に分けられる。 FIG. 4 illustrates a first vector

and a second vector

4 shows a flowchart overview of a method 400 for computing the scalar product of . The method is divided into seven phases: registration phase 402 , setup phase 404 , first transmission phase 406 , intermediate computation phase 408 , second transmission phase 410 , scalar product computation phase 412 , and interaction phase 414 .

および第二のベクトル

の特徴、ならびに相互作用段階４１４で実施される相互作用の性質に依存し得る。 The registration phase 402 may be optional, ie in some embodiments the registration phase 402 may be performed and in other embodiments the registration phase 402 may not be performed. A feature of the registration step 402 is that the first vector

and a second vector

, as well as the nature of the interaction performed in the interaction step 414.

As an example, a vector may correspond to biometric instances, and a scalar product of two vectors may correspond to a similarity between two biometric instances. Accordingly, a scalar product may be computed to determine whether two biometric instances match with a sufficient degree of certainty (eg, 75% match, 95% match, 99% match, etc.). In this case, the enrollment phase 402 may include a biometric enrollment process. This biometric enrollment process includes, for example, capturing a biometric from an enrolled user (e.g., by capturing an image of the user's iris, performing a thumb or fingerprint scan, etc.) and converting the captured biometric. (e.g., in an iris code or other suitable digital representation of the biometric) and securely storing the biometric instance (e.g., in a secure element on a first computer and/or a in a secure database).

として表される顧客の生体認証インスタンスは、第二のベクトル

として表される顧客の生体認証インスタンスと比較され、支払処理サーバに格納され得る。生体認証ベクトルが一致する場合（第一のベクトルおよび第二のベクトルのスカラー積に基づいて判定される）、支払処理サーバは、顧客を認証し、顧客と小売業者との間の取引（すなわち、相互作用段階４１４の相互作用）を許可することができる。この場合、相互作用が取引であるため、登録段階４０２は、支払証明書（ＰＡＮなど）を、支払処理サーバー（第二のコンピュータ）に格納された生体認証ベクトル（第二のベクトル

）と関連付けることをさらに含んでもよい。この例では、登録段階４０２は、ユーザまたは消費者がユーザのＰＡＮなどの情報をウェブフォームに記入することをさらに含み、次に、それを暗号化し、第二のベクトル

に関連付けられて格納できるように第二のコンピュータに送信してもよい。 As noted above, the characteristics of the registration phase 402 may depend on the interaction phase 414 and the characteristics of the interaction. As an example, method 400 of FIG. 4 may be applied to a biometric authorization system for making payments. first vector

A customer's biometric instance represented as a second vector

and stored in the payment processing server. If the biometric vectors match (determined based on the scalar product of the first vector and the second vector), the payment processing server authenticates the customer and completes the transaction between the customer and the retailer (i.e., interaction of interaction step 414) may be allowed. In this case, since the interaction is a transaction, the registration step 402 sends the payment certificate (such as a PAN) to the biometric vector (second vector) stored on the payment processing server (second computer).

). In this example, the registration step 402 further includes the user or consumer filling out a web form with information such as the user's PAN, which is then encrypted and sent to the second vector

may be transmitted to a second computer so that it can be stored in association with the

および第二のベクトル

をそれぞれ外部ソースから（例えば、生体認証キャプチャを介して）受信する必要がない実施形態で生じ得る。例えば、第一のベクトル

は、ユーザのスマートフォンのＧＰＳから判定されるユーザの位置を表してもよく、第二のベクトル

は、ユーザが移動しようとしているカフェなどのビジネスの位置を表してもよい。したがって、第一のコンピュータは、ユーザのスマートフォンを備えてもよく、第二のコンピュータは、ナビゲーションまたはマッピングサービスに関連付けられたサーバコンピュータを備えてもよい。二つのベクトルのスカラー積は、ユーザがカフェに移動するのを助けるために、ユーザのスマートフォンによって使用され得る。ユーザの位置ベクトルはＧＰＳデータから推測でき、ナビゲーションサービスはすでにカフェの位置を知っている場合があるため、登録段階４０２を実施する必要はない場合がある。 However, as noted above, in some embodiments the registration step 402 may be optional. This means that the first computer and the second computer

and a second vector

, respectively from an external source (eg, via biometric capture). For example, the first vector

may represent the user's location as determined from the GPS of the user's smartphone, and a second vector

may represent the location of a business, such as a cafe, to which the user is traveling. Thus, the first computer may comprise the user's smart phone and the second computer may comprise the server computer associated with the navigation or mapping service. The scalar product of the two vectors can be used by the user's smart phone to help the user navigate to the cafe. Since the user's position vector can be inferred from GPS data and the navigation service may already know the café's location, it may not be necessary to perform the registration step 402 .

Setup phase 404 can be better understood with reference to FIG. In general, the setup phase may include steps that may occur before any data is transmitted between the first computer and the second computer.

FIG. 5 shows a flowchart of steps performed during the setup phase of the method according to an embodiment. Subscript A generally refers to vectors or values generated or used by a first computer, while subscript B generally refers to vectors, values generated or used by a second computer. , or cryptographic keys.

を安全に取得することができる。いくつかの実施形態では、第一のコンピュータは、ユーザに関連付けられたスマートフォンであってもよい。これらの実施形態では、第一のコンピュータは、（例えば、図２の非接触素子インタフェース２２０を使用して）第一のコンピュータのセキュア要素から第一のベクトル

を取得することができる。 At step 502A, the first computer computes the first vector

can be obtained safely. In some embodiments, the first computer may be a smart phone associated with the user. In these embodiments, the first computer receives the first vector data from the secure element of the first computer (eg, using the contactless element interface 220 of FIG. 2).

can be obtained.

を安全に取得することができる。いくつの実施形態では、第二のコンピュータは、何らかの形態の認証事業体（例えば、政府機関または支払処理ネットワークに関連付けられた支払処理サーバ）に関連付けられたリモートサーバコンピュータであってもよい。第二のコンピュータは、安全なまたは暗号化されたデータベースから第二のベクトル

を安全に取得できる。 Similarly, at step 502B, the second computer computes the second vector

can be obtained safely. In some embodiments, the second computer may be a remote server computer associated with some form of authenticating entity (eg, a government agency or a payment processing server associated with a payment processing network). A second computer retrieves a second vector from a secure or encrypted database

can be obtained safely.

および第二のベクトル

は、生体認証ベクトルであってもよく、すなわち、第一のベクトル

および第二のベクトル

は、第一の生体認証テンプレートおよび第二の生体認証テンプレート（例えば、虹彩コード、指紋のデジタル表現、音声サンプル、ＤＮＡセグメントなど）に対応してもよい。第一のベクトル

および第二のベクトル

は、等しい長さであってもよく、すなわち、同じ数の構成要素を有してもよい。 In some embodiments, the first vector

and a second vector

may be the biometric vector, i.e. the first vector

and a second vector

may correspond to a first biometric template and a second biometric template (eg, an iris code, a digital representation of a fingerprint, a voice sample, a DNA segment, etc.). first vector

and a second vector

may be of equal length, ie have the same number of components.

を生成してもよい。第一のランダムなベクトル

は、暗号的に安全な擬似ランダムな数値発生器（ＣＳＰＲＮＧ）の使用を含む、任意の適切な手段に従って生成され得る。第一のランダムなベクトル

は、第一のベクトル

と同じ長さであってもよく、すなわち、第一のベクトル

と第一のランダムなベクトル

は、同じ数の構成要素を有してもよい。例えば、第一のベクトル

が、２５６個の１バイトの構成要素を含むベクトル化された虹彩コードを含む場合、第一のランダムなベクトル

は、２５６個のランダムに生成されたバイトを含んでもよい。 At step 504A, the first computer generates a first random vector

may be generated. first random vector

may be generated according to any suitable means, including using a cryptographically secure pseudo-random number generator (CSPRNG). first random vector

is the first vector

may be of the same length as the first vector, i.e.

and the first random vector

may have the same number of components. For example, the first vector

contains a vectorized iris code containing 256 1-byte components, then a first random vector

may contain 256 randomly generated bytes.

を生成してもよい。第二のランダムなベクトル

は、ＣＳＰＲＮＧの使用を含む任意の適切な手段を使用して同様に生成されてもよい。第二のランダムなベクトル

は、第二のベクトル

と同じ長さであってもよく、すなわち、第二のベクトル

と第二のランダムなベクトル

は、同じ数の構成要素を有してもよい。 Similarly, at step 504B, the second computer generates a second random vector

may be generated. second random vector

may similarly be generated using any suitable means, including using a CSPRNG. second random vector

is the second vector

may be of the same length as the second vector, i.e.

and a second random vector

may have the same number of components.

と第一のランダムなベクトル

を組み合わせることによって、第一のマスクされたベクトル

を生成することができる。いくつかの実施形態では、第一のマスクされたベクトル

は、第一のベクトル

と第一のランダムなベクトル

との合計と等しくてもよい。 At step 506A, the first computer computes the first vector

and the first random vector

by combining the first masked vector

can be generated. In some embodiments, the first masked vector

is the first vector

and the first random vector

may be equal to the sum of

と第二のランダムなベクトル

を組み合わせることによって第二のマスクされたベクトル

を生成できる。いくつかの実施形態では、第二のマスクされたベクトル

は、第二のベクトル

と第二のランダムなベクトル

の合計と等しくてもよい。 Similarly, at step 506B, the second computer computes the second vector

and a second random vector

A second masked vector by combining

can generate In some embodiments, the second masked vector

is the second vector

and a second random vector

may be equal to the sum of

At step 508A, the first computer can generate a first key pair including a first public key Pb _A and a first private key Pr _A. The first public key Pb _A may enable the use of the encryption function _EA and the first private key Pr _A may enable the use of the decryption function _DA . That is, data (eg, vectors) encrypted with the first public key Pb _A can be decrypted with the first private key Pr _A.

At step 510A, the first computer can generate a second key pair including a second public key _Pb'A and a second private key _Pr'A . A second public key _Pb'A may enable use of the encryption function _E'A and a second private key _Pr'A may enable use of the decryption function D' _A . That is, data (eg, vectors) encrypted with the second public key _Pb'A can be decrypted with the second private key _Pr'A .

Similarly, at step 508B, the second computer can generate a third key pair including a third public key _PbB and a third private key _PrB . A third public key Pb _B may enable use of the encryption function E _B and a third private key Pr _B may enable use of the decryption function D _B . That is, data (eg, vectors) encrypted with a third public key Pb _B can be decrypted with a third private key _PrB .

Similarly, at step 510B, the second computer can generate a fourth key pair including a fourth public key _Pb'B and a fourth private key _Pr'B . A fourth public key _Pb'B may enable use of the encryption function _E'B and a fourth private key _Pr'B may enable use of the decryption function D' _B . That is, data (eg, vectors) encrypted with the fourth public key _Pb'B can be decrypted with the fourth private key _Pr'B .

In some embodiments, a first public key Pb _A , a first private key Pr _A , a second public key Pb′ A , a second private key Pr _{′ A ,} a third public key Pb _B , a third Private key Pr _B , fourth public key Pb′ _B , and fourth private key Pr′ _B may be additional homomorphic encryption keys such as Paillier encryption keys.

および

を計算でき、式中、ｌｃｍは、最小公倍数を決定するために使用される関数である。第三に、第一のコンピュータまたは第二のコンピュータは、

であるように、ランダムな整数ｇを生成できる。第四に、第一のコンピュータまたは第二のコンピュータは、

を計算することができる。（暗号化に使用される）公開鍵は、ペア（ｎ、ｇ）であり、一方、（復号に使用される）秘密鍵は、ペア（λ、μ）である。このプロセスは、生成されるキーの数に基づいて繰り返されることができ、例えば、第一のコンピュータは、第一の公開鍵Ｐｂ_Ａ、第一の秘密鍵Ｐｒ_Ａ、第二の公開鍵Ｐｂ’_Ａ、および第二の秘密鍵Ｐｒ’_Ａを生成するためにこのプロセスを二回繰り返すことができ、第二のコンピュータは、第三の公開鍵Ｐｂ_Ｂ、第三の秘密鍵Ｐｒ_Ｂ、第四の公開鍵Ｐｂ’_Ｂ、および第四の秘密鍵Ｐｒ’_Ｂを生成するために、プロセスを二回繰り返すことができる。 The generation of these cryptographic key pairs depends on the nature of the cryptosystem used. The following example of how to generate a cryptographic key pair corresponds to using the Paillier cipher. First, a first computer or a second computer randomly and independently generates two large prime numbers p and q such that the greatest common divisor pq and (p−1)(q−1) is 1. You can choose. Second, the first computer or the second computer

and

can be calculated, where lcm is the function used to determine the lowest common multiple. Third, the first computer or the second computer

A random integer g can be generated such that Fourth, the first computer or the second computer

can be calculated. The public key (used for encryption) is the pair (n,g), while the private key (used for decryption) is the pair (λ,μ). This process can be repeated based on the number of keys to be generated, for example, the first computer generates a first public key Pb _A , a first private key Pr _A , a second public key Pb′. _A , and a second private key Pr' _A , the process can be repeated twice, and the second computer generates a third public key Pb _B , a third private key Pr _B , a fourth , and _a fourth private key _Pr'B , the process can be repeated twice.

を暗号化することによって、第一の暗号化されたマスクされたベクトル

を生成することができる。 At step 512A, the first computer uses the first public key Pb _A to generate the first masked vector

the first encrypted masked vector by encrypting

can be generated.

を暗号化することによって、第一の暗号化されたランダムなベクトル

を生成することができる。 Similarly, at step 514A, the first computer uses the second public key _Pb'A to create a first random vector

by encrypting the first encrypted random vector

can be generated.

を暗号化することによって、第二の暗号化されたマスクされたベクトル

を生成できる。 At step 512B, the second computer uses the third public key Pb _B to generate the second masked vector

a second encrypted masked vector by encrypting the

can generate

を暗号化することによって、第二の暗号化されたランダムなベクトル

を生成できる。 Similarly, at step 514B, the second computer uses the fourth public key Pb' _B to generate a second random vector

by encrypting a second encrypted random vector

can generate

の場合、 Generally, in embodiments of the present disclosure, an encrypted vector refers to a vector in which each component of the vector is encrypted. For example, the first encrypted masked vector

in the case of,

Returning to FIG. 4, following the setup phase 404 is a first transmission phase 406 . In a first send step 406, the first computer and the second computer can send data to each other. This data can be used in subsequent intermediate computation stage 408 and scalar product computation stage 412 .

および第一の暗号化されたランダムなベクトル

を送信することができ、第一の暗号化されたマスクされたベクトル

は、第一の公開鍵Ｐｂ_Ａを使用して暗号化された第一のマスクされたベクトル

であり、第一の暗号化されたランダムなベクトル

は、第二の公開鍵Ｐｂ’_Ａを使用して暗号化された第一のランダムなベクトル

である。 More specifically, in a first transmission step 406, the first computer transmits to the second computer a first public key Pb _A , a second public key Pb′ _A , a first encrypted masked vector

and the first encrypted random vector

and the first encrypted masked vector

is the first masked vector encrypted using the first public key Pb _A

and the first encrypted random vector

is a first random vector encrypted using a second public key Pb' _A

is.

および第二の暗号化されたランダムなベクトル

を受信する第一のコンピュータを備えてもよく、第二の暗号化されたマスクされたベクトルは

第三の公開鍵Ｐｂ_Ｂを使用して暗号化された第二のマスクされたベクトル

であり、第二の暗号化されたランダムなベクトルは、第四の公開鍵Ｐｂ’_Ｂを使用して暗号化された第二のランダムなベクトル

である。 Additionally, the first transmission step 406 transfers from the second computer a third public key Pb _B , a fourth public key Pb′ _B , a second encrypted masked vector

and a second encrypted random vector

and the second encrypted masked vector is

A second masked vector encrypted using a third public key Pb _B

and the second encrypted random vector is the second random vector encrypted using the fourth public key _Pb'B

is.

第二の暗号化されたマスクされたベクトル

第一の暗号化されたランダムなベクトル

および第二の暗号化されたランダムなベクトル

は、任意の適切な形態で任意の適切なネットワークを介して送信され得る。例えば、これらのデータは、ＵＤＰまたはＴＣＰパケットなどのデータパケットでインターネットなどのネットワークを介して送信され得る。 These data (i.e., first public key Pb _A , second public key Pb′ _A , third public key Pb _B , fourth public key Pb′ _B , first encrypted masked vector

the second encrypted masked vector

First Encrypted Random Vector

and a second encrypted random vector

may be transmitted over any suitable network in any suitable form. For example, these data may be sent over a network such as the Internet in data packets such as UDP or TCP packets.

After the first transmission stage 406, the first computer and the second computer 408 can proceed to an intermediate computation stage 408, which can be better understood with reference to FIG.

FIG. 6 shows a flow chart of the steps performed during the intermediate computation stage of the method according to the embodiment.

を生成することができる。第一のネゲーションベクトル

は、第一のベクトルのネゲーション

を含んでもよく、すなわち、第一のネゲーションベクトル

の各構成要素は、第一のベクトル

の対応する構成要素の負の値と等しくてもよい。例えば、第一のベクトル

の場合、第一のネゲーションベクトルは、

である。 At step 602A, the first computer generates a first negation vector

can be generated. First negation vector

is the negation of the first vector

, i.e. the first negation vector

each component of the first vector

may be equal to the negative value of the corresponding component of . For example, the first vector

, the first negation vector is

is.

を生成することができる。第二のネゲーションベクトル

は、第二のベクトル

のネゲーションを含んでもよく、すなわち、第二のネゲーションベクトル

の各構成要素は、第二のベクトル

の対応する構成要素の負の値と等しくてもよい。例えば、第二のベクトル

の場合、第二のネゲーションベクトルは、

である。 Similarly, at step 602B, the second computer determines the second negation vector

can be generated. second negation vector

is the second vector

i.e. a second negation vector

each component of the second vector

may be equal to the negative value of the corresponding component of . For example, the second vector

, the second negation vector is

is.

を暗号化することによって、第一の暗号化されたネゲーションベクトル

を生成することができる。第三の公開鍵Ｐｂ_Ｂは、セットアップ段階（図４のセットアップ段階４０４）の間に第二のコンピュータによって以前に生成され、第一の伝送段階（図４の第一の伝送段階４０６）の間に第一のコンピュータに送信された可能性がある。 At step 604A, the first computer uses the third public key Pb _B to generate the first negation vector

by encrypting the first encrypted negation vector

can be generated. The third public key Pb _B was previously generated by the second computer during the setup phase (setup phase 404 in FIG. 4) and during the first transmission phase (first transmission phase 406 in FIG. 4) may have been sent to the first computer at

および第一の暗号化されたネゲーションベクトル

に基づいて、第一の暗号化された差分ベクトル

を生成することができる。第二の暗号化されたマスクされたベクトル

は、第一の伝送段階の間に第一のコンピュータによって第二のコンピュータから受信されていてもよい。いくつかの実施形態では、第一のコンピュータは、第一の暗号化された差分ベクトル

を生成するために、付加的準同型暗号化の特性を利用してもよい。これにより、第一のコンピュータは、第二の暗号化されたマスクされたベクトル

を第一に復号することなく、第一の暗号化された差分ベクトル

を生成できてもよい。 At step 606A, the first computer generates a second encrypted masked vector

and the first encrypted negation vector

The first encrypted difference vector based on

can be generated. the second encrypted masked vector

may have been received from the second computer by the first computer during the first transmission phase. In some embodiments, the first computer stores the first encrypted difference vector

A property of additive homomorphic encryption may be used to generate This causes the first computer to generate a second encrypted masked vector

without first decrypting the first encrypted difference vector

can be generated.

For example, in the Paillier cipher, the product of two ciphertexts c and d is generally equal to the encrypted sum of the corresponding plaintexts. i.e.

の各構成要素に、第一の暗号化されたネゲーションベクトル

の対応する構成要素を乗じることによって、第一の暗号化された差分ベクトル

を生成することができる。 As a result, the first computer generates a second encrypted masked vector

to each component of the first encrypted negation vector

the first encrypted difference vector by multiplying the corresponding components of

can be generated.

を暗号化することによって、第二の暗号化されたネゲーションベクトル

を生成することができる。第四の公開鍵Ｐｂ’_Ｂは、セットアップ段階中に第二のコンピュータによって生成され、第一の伝送段階の間に第一のコンピュータに送信された可能性がある。 At step 608A, the first computer uses the fourth public key _Pb'B to generate the first negation vector

by encrypting the second encrypted negation vector

can be generated. The fourth public key _Pb'B may have been generated by the second computer during the setup phase and sent to the first computer during the first transmission phase.

および第二の暗号化されたネゲーションベクトル

に基づいて、第二の暗号化された差分ベクトル

を生成することができる。第二の暗号化されたランダムなベクトル

は、第一の伝送段階の間に第二のコンピュータから受信されていてもよい。いくつかの実施形態では、第一のコンピュータは、第二の暗号化された差分ベクトル

を生成するために、付加的準同型暗号化の特性を利用してもよい。これは、ステップ６０６Ａで第一の暗号化された差分ベクトルを生成するために使用されたのと同様の一連のステップまたは演算を使用して達成することができる。すなわち、第二の暗号化されたランダムなベクトル

の各暗号化された構成要素に、第二の暗号化されたネゲーションベクトル

の対応する構成要素を乗じる。 At step 610A, the first computer generates a second encrypted random vector

and a second encrypted negation vector

A second encrypted difference vector based on

can be generated. Second Encrypted Random Vector

may have been received from the second computer during the first transmission phase. In some embodiments, the first computer stores the second encrypted difference vector

A property of additive homomorphic encryption may be used to generate This can be accomplished using a series of steps or operations similar to those used to generate the first encrypted difference vector in step 606A. i.e. a second encrypted random vector

a second encrypted negation vector

Multiply the corresponding components of .

を暗号化することによって、第三の暗号化されたネゲーションベクトル

を生成することができる。第一の公開鍵Ｐｂ_Ａは、セットアップ段階の間に第一のコンピュータによって生成され、第一の伝送段階の間に第二のコンピュータに送信された可能性がある。 At step 604B, the second computer uses the first public key Pb _A to create a second negation vector

by encrypting the third encrypted negation vector

can be generated. The first public key Pb _A may have been generated by the first computer during the setup phase and sent to the second computer during the first transmission phase.

および第三の暗号化されたネゲーションベクトル

に基づいて、第三の暗号化された差分ベクトル

を生成することができる。第二のコンピュータは、第一の伝送段階の間に、第一のコンピュータから第一の暗号化されたマスクされたベクトル

を受信していてもよい。いくつかの実施形態では、第二のコンピュータは、第三の暗号化された差分ベクトル

を生成するために、付加的準同型暗号化の特性を利用してもよい。これは、ステップ６０６Ａで第一の暗号化された差分ベクトルを生成するために使用されたのと同様の一連のステップまたは演算を使用して達成することができる。すなわち、第一の暗号化されたマスクされたベクトル

の各暗号化された構成要素と、第三の暗号化されたネゲーションベクトル

の対応する暗号化された構成要素と、を乗じる。 At step 606B, the second computer generates the first encrypted masked vector

and a third encrypted negation vector

A third encrypted difference vector based on

can be generated. The second computer receives the first encrypted masked vector from the first computer during the first transmission phase.

may have received In some embodiments, the second computer stores the third encrypted difference vector

A property of additive homomorphic encryption may be used to generate This can be accomplished using a series of steps or operations similar to those used to generate the first encrypted difference vector in step 606A. i.e. the first encrypted masked vector

and a third encrypted negation vector

with the corresponding encrypted component of .

を暗号化することによって、第四の暗号化されたネゲーションベクトル

を生成できる。第二の公開鍵Ｐｂ’_Ａは、セットアップ段階の間に第一のコンピュータによって以前に生成され、第一の伝送段階の間に第二のコンピュータに送信された可能性がある。 At step 608B, the second computer uses the second public key _Pb'A to create a second negation vector

by encrypting the fourth encrypted negation vector

can generate The second public key Pb' _A may have been previously generated by the first computer during the setup phase and sent to the second computer during the first transmission phase.

および第四の暗号化されたネゲーションベクトル

に基づいて、第四の暗号化された差分ベクトル

を生成することができる。第二のコンピュータは、第一の伝送段階の間に、第一のコンピュータから第一の暗号化されたランダムなベクトルを受信していてもよい。いくつかの実施形態では、第二のコンピュータは、第四の暗号化された差分ベクトル

を生成するために、付加的準同型暗号化の特性を利用してもよい。これは、ステップ６０６Ｂで第三の暗号化された差分ベクトルを生成するために使用された同様の一連のステップまたは演算を使用して達成され得る。すなわち、第二の暗号化されたランダムなベクトル

の各暗号化された構成要素に、第二の暗号化されたネゲーションベクトル

の対応する暗号化された構成要素を乗じる。 At step 610B, the second computer generates the first encrypted random vector

and a fourth encrypted negation vector

A fourth encrypted difference vector based on

can be generated. The second computer may have received the first encrypted random vector from the first computer during the first transmission phase. In some embodiments, the second computer stores the fourth encrypted difference vector

A property of additive homomorphic encryption may be used to generate This can be accomplished using a similar series of steps or operations used to generate the third encrypted difference vector in step 606B. i.e. a second encrypted random vector

a second encrypted negation vector

Multiply the corresponding encrypted component of .

は、三つの構成要素を含むベクトルについて、第三の構成要素が第一の位置に位置されるべきであり、第一の構成要素が第二の位置に位置されるべきであり、第二の構成要素が第三の位置に位置されるべきであることを示し得る。例えば、ベクトル

に適用される置換

は、置換されたベクトル

をもたらすことができる。 At step 612A, the first computer may generate a first permutation π _A1 and a second permutation π _A2 . As mentioned above, a permutation is a way in which a set or things can be ordered or arranged. A permutation may be used to "permute" something according to a permutation, and the permutation may be represented as a vector. As an example, replace

is for a vector containing three components, the third component should be located at the first position, the first component should be located at the second position, and the second It may indicate that the component should be placed in a third position. For example, vector

permutation applied to

is the permuted vector

can bring

と同じ数の構成要素を有してもよい。 The first computer can generate the first permutation π _A1 and the second permutation π _A2 in any number of ways. As an example, the first computer may shuffle the ordered array (ie, (1, 2, . . . , n)) using an algorithm (eg, Fisher-Yates shuffle, etc.). A shuffled ordered array can be used as the first permutation π _A1 . The first computer can use a similar process to generate a second permutation, shuffle the ordered array twice, and use the result as the second permutation π _A2 . The first permutation π _A2 and the second permutation π _A2 are represented by the first vector

may have the same number of components as

At step 612B, the second computer can generate a third permutation π _B1 and a fourth permutation π _B2 . As described above with reference to the first permutation π _A1 and the second permutation π _A2 , the third permutation π _B1 and the fourth permutation π _B2 can be obtained using, for example, a shuffling algorithm such as Fisher-Yates It can be generated in any number of ways, including shuffling an ordered array.

を使用して、第一の置換された暗号化された差分ベクトル

を生成することができる。第一のコンピュータは、第一の置換π_Ａ１を使用して第一の暗号化された差分ベクトル

を置換することによって、第一の置換された暗号化された差分ベクトル

を生成してもよい。すなわち、第一の置換π_Ａ１を第一の暗号化された差分ベクトル

に適用する。これは、第一の置換π_Ａ１の値または構成要素をインデックスとして使用して、第一の暗号化された差分ベクトル

を再順序付けすることによって達成され得る。上記で使用した例を繰り返すために、ベクトル

に適用される置換

は、置換されたベクトル

をもたらすことができる。同様に、第一の暗号化された差分ベクトル

に適用される第一の置換π_Ａ１は、第一の置換された暗号化された差分ベクトル

をもたらすことができる。 At step 614A, the first computer computes the first permutation π _A1 and the first encrypted difference vector

using the first permuted encrypted difference vector

can be generated. The first computer uses the first permutation π _A1 to generate the first encrypted difference vector

by replacing the first permuted encrypted difference vector

may be generated. That is, replace the first permutation π _A1 with the first encrypted difference vector

apply to This uses the values or components of the first permutation π _A1 as indices to index the first encrypted difference vector

can be achieved by reordering the To repeat the example used above, the vector

permutation applied to

is the permuted vector

can bring Similarly, the first encrypted difference vector

The first permutation π _A1 applied to the first permuted encrypted difference vector

can bring

を使用して、第二の置換された暗号化された差分ベクトル

を生成することができる。これは、ステップ６１４Ａを参照して上述したのと実質的に同じ方法で達成され得る。すなわち、第一のコンピュータは、第二の置換π_Ａ２を使用して第二の暗号化された差分ベクトル

の構成要素を再順序付けすることができ、第二の置換された暗号化された差分ベクトル

を生成する。 At step 616A, the first computer computes the second permutation π _A2 and the second encrypted difference vector

using the second permuted encrypted difference vector

can be generated. This can be accomplished in substantially the same manner as described above with reference to step 614A. That is, the first computer uses the second permutation π _A2 to generate the second encrypted difference vector

can reorder the components of the second permuted encrypted difference vector

to generate

を使用して、第三の置換された暗号化された差分ベクトル

を生成できる。これは、ステップ６１４Ａおよび６１６Ａを参照して上述したのと実質的に同じ方法で達成することができる。すなわち、第二のコンピュータは、第三の置換π_Ｂ１を使用して、第三の暗号化された差分ベクトル

の構成要素を再順序付けして第三の置換された暗号化された差分ベクトル

を生成することができる。 At step 614B, the second computer generates the third permutation π _B1 and the third encrypted difference vector

using the third permuted encrypted difference vector

can generate This can be accomplished in substantially the same manner as described above with reference to steps 614A and 616A. That is, the second computer uses the third permutation π _B1 to generate the third encrypted difference vector

to obtain a third permuted encrypted difference vector

can be generated.

を使用して第四の置換された暗号化された差分ベクトル

を生成できる。これは、ステップ６１４Ａ、６１４Ｂ、および６１６Ａを参照して上述したのと実質的に同じ方法で達成され得る。すなわち、第二のコンピュータは、第四の置換π_Ｂ２を使用して、第四の暗号化された差分ベクトル

の構成要素を再順序付けして、第四の置換された暗号化された差分ベクトル

を生成することができる。 At step 616B, the second computer generates the fourth permutation π _B2 and the fourth encrypted difference vector

the fourth permuted encrypted difference vector using

can generate This can be accomplished in substantially the same manner as described above with reference to steps 614A, 614B and 616A. That is, the second computer uses the fourth permutation π _B2 to generate the fourth encrypted difference vector

to obtain a fourth permuted encrypted difference vector

can be generated.

および第二のネゲーションベクトル

も、記載される中間計算段階の間ではなく、セットアップ段階の間に生成されてもよい。 Of course, in some embodiments, some steps performed during an intermediate computational stage may instead be performed at an earlier or later stage. As an example, the first permutation π _A1 , the second permutation π _A1 , the third permutation π _B1 , and the fourth permutation π _B2 may be generated during the setup phase (setup phase 404 of FIG. 4). good. Similarly, the first negation vector

and a second negation vector

may also be generated during the setup phase rather than during the intermediate computation phase described.

を計算するために、以下に説明するように使用され得る。 Returning to FIG. 4, after the intermediate computation stage 408, the first computer and the second computer may perform a second transmission stage 410. FIG. In a second transmission stage 410, the first computer and the second computer may transmit data generated during the intermediate computation stage 408 to each other. These data are used as the scalar product in the scalar product calculation step 412

can be used as described below to calculate

および第二の置換された暗号化された差分ベクトル

を送信してもよい。同様に、第二の伝送段階４１０では、第一のコンピュータは、第二のコンピュータから、第三の置換された暗号化された差分ベクトル

および第四の置換された暗号化された差分ベクトル

を受信し得、第三の置換された暗号化された差分ベクトル

は、第一の公開鍵Ｐｂ_Ａを使用して暗号化され、第三の置換π_Ｂ１を使用して置換され、第四の置換された暗号化された差分ベクトル

は、第二の公開鍵Ｐｂ’_Ａを使用して暗号化され、第四の置換π_Ｂ２を使用して置換される。 More specifically, in a second transmission step 410, the first computer sends the second computer the first permuted encrypted difference vector

and the second permuted encrypted difference vector

may be sent. Similarly, in a second transmission step 410, the first computer receives from the second computer the third permuted encrypted difference vector

and the fourth permuted encrypted difference vector

and a third permuted encrypted difference vector

is encrypted using the first public key Pb _A , permuted using the third permutation π _B1 , and the fourth permuted encrypted difference vector

is encrypted using the second public key Pb' _A and permuted using the fourth permutation π _B2 .

第二の置換された暗号化された差分ベクトル

第三の置換された暗号化された差分ベクトル

および第四の置換された暗号化された差分ベクトル

）は、任意の適切な形態で任意の適切なネットワークを介して送信され得る。例えば、これらのデータは、ＵＤＰまたはＴＣＰパケットなどのデータパケットでインターネットなどのネットワークを介して送信され得る。 As in the first transmission stage 406, these data (i.e. the first permuted encrypted difference vector

second permuted encrypted difference vector

the third permuted encrypted difference vector

and the fourth permuted encrypted difference vector

) may be transmitted over any suitable network in any suitable form. For example, these data may be sent over a network such as the Internet in data packets such as UDP or TCP packets.

および第二のベクトル

のスカラー積を計算する。スカラー積計算段階４１２は、図７を参照するとより良く理解できる。 After the second transmission step 410, the first computer and the second computer may proceed to a scalar product calculation step 412, where the first computer and the second computer calculate the first vector

and a second vector

Computes the scalar product of . The scalar product computation stage 412 can be better understood with reference to FIG.

を復号することによって、第三の置換された差分ベクトル

を生成できる。第一のコンピュータは、第一のマスクされたベクトル

の構成要素の値を知っているが、第三の置換π_Ｂ１は第一のコンピュータにはわからないため、第一のコンピュータは、第二のベクトル

の構成要素の値を決定することはできない。したがって、第二のベクトル

は、第一のコンピュータから保護される。これは、第二のベクトル

に対応する人のプライバシーを維持しうる（例えば、第二のベクトル

が人に対応する生体認証ベクトルである場合）。 At step 702A, the first computer uses the first private key Pr _A to generate a third permuted encrypted difference vector

by decoding the third permuted difference vector

can generate The first computer computes the first masked vector

, but the third permutation π _B1 is unknown to the first computer, so the first computer can replace the second vector

It is not possible to determine the values of the components of So the second vector

is protected from the first computer. This is the second vector

(e.g., the second vector

is the biometric vector corresponding to a person).

を復号することによって、第一の置換された差分ベクトル

を生成できる。第二のコンピュータは、第二のマスクされたベクトル

の構成要素の値を知っているが、第一の置換π_Ａ１は第二のコンピュータにはわからないため、第二のコンピュータは第一のベクトル

の構成要素の値を決定することはできない。したがって、第一のベクトル

は、第二のコンピュータから保護される。これは、第一のベクトル

に対応する個人のプライバシーを維持しうる（例えば、第一のベクトル

が人に対応する生体認証ベクトルである場合）。 At step 702B, the second computer uses the third private key Pr _B to generate the first permuted encrypted difference vector

by decoding the first permuted difference vector

can generate A second computer generates a second masked vector

but the first permutation π _A1 is not known to the second computer, so the second computer knows the values of the components of the first vector

It is not possible to determine the values of the components of Therefore, the first vector

is protected from a second computer. This is the first vector

(e.g., the first vector

is the biometric vector corresponding to a person).

を復号することによって、第四の置換された差分ベクトル

を生成できる。再度、第二のベクトル

は、第一のコンピュータから保護されるが、これは、第一のコンピュータは第一のランダムなベクトル

の構成要素の値を知っているが、第一のコンピュータは第四の置換π_Ｂ２を知らないためである。 At step 704A, the first computer uses the second private key _Pr'A to create a fourth permuted encrypted difference vector

by decoding the fourth permuted difference vector

can generate again the second vector

is protected from the first computer, but this is because the first computer receives the first random vector

, but the first computer does not know the fourth permutation _πB2 .

を復号することによって、第二の置換された差分ベクトル

を生成できる。再度、第一のベクトル

は第二のコンピュータから保護されるが、これは、第二のコンピュータは第二のランダムなベクトル

の構成要素の値を知っているが、第二のコンピュータは第二の置換π_Ａ２を知らないためである。 At step 704B, the second computer uses the fourth private key _Pr'B to generate the second permuted encrypted difference vector

by decoding the second permuted difference vector

can generate again the first vector

is protected from the second computer, but this is because the second computer receives a second random vector

but the second computer does not know the second permutation _πA2 .

のスカラー積と等しく、すなわち、 At step 706A, the first computer may compute the squared magnitude α' of the first masked vector. The value of the squared magnitude α' of the first masked vector is the value of the first masked vector with itself

is equal to the scalar product of, i.e.

の各構成要素の値を二乗して、次に、結果として得られる二乗を合計してもよく、すなわち、第一のコンピュータは、以下の式に従って、第一のマスクされたベクトルの二乗の大きさα’を計算してもよい。 The first computer computes the first masked vector

and then sum the resulting squares, i.e., the first computer calculates the magnitude of the squares of the first masked vector according to the following formula: α' may be calculated.

のスカラー積と等しい、すなわち、 Similarly, at step 706B, the second computer can compute the squared magnitude β' of the second masked vector. The value of the squared magnitude β' of the second masked vector is the value of the second masked vector with itself

is equal to the scalar product of

の各構成要素の値を二乗して、結果として得られた二乗を合計してもよく、すなわち、第二のコンピュータは、以下の式に従って、第二のマスクされたベクトルの二乗の大きさβ’を計算してもよい。 A second computer generates a second masked vector

and sum the resulting squares, i.e., the second computer computes the squared magnitude of the second masked vector, β ' can be calculated.

のスカラー積と等しく、すなわち、 At step 708A, the first computer can compute the squared magnitude ρ _A of the first random vector. The value of the squared magnitude ρ _A of the first random vector is the first random vector with itself

is equal to the scalar product of, i.e.

の各構成要素の値を二乗して、次いで、結果として得られる二乗を合計してもよく、すなわち、第一のコンピュータは、以下の式に従って第一のランダムなベクトルの二乗の大きさρ_Ａを計算してもよい。 The first computer generates a first random vector

and then sum the resulting squares, i.e., the first computer calculates the squared magnitude of the first random vector ρ _A according to the following formula: can be calculated.

のスカラー積と等しく、すなわち、 Similarly, at step 708B, the second computer can compute the squared magnitude ρ _B of the second random vector. The value of the squared magnitude ρ of the second random vector is the value of the second random vector with itself

is equal to the scalar product of, i.e.

の各構成要素の値を二乗して、結果として得られた二乗を合計してもよく、すなわち、第二のコンピュータは、以下の式に従って第二のランダムなベクトルの二乗の大きさρ_Ｂを計算してもよい。 A second computer generates a second random vector

may be squared and the resulting squares summed, i.e., the second computer computes the squared magnitude ρ _B of the second random vector according to the following formula: can be calculated.

のスカラー積と等しい、すなわち、 At step 710A, the first computer can compute the squared magnitude _δA of the third permuted difference vector. The value of the squared magnitude _δA of the third permuted difference vector is the third permuted difference vector with itself

is equal to the scalar product of

の各構成要素の値を二乗し、次いで、結果として得られた二乗を合計してもよく、すなわち、第一のコンピュータは、以下の式に従って、第三の置換された差分ベクトルの二乗の大きさδ_Ａを計算してもよい。 The first computer computes the third permuted difference vector

and then sum the resulting squares, i.e., the first computer calculates the magnitude of the square of the third permuted difference vector according to the following formula: _δA may be calculated.

のスカラー積と等しい、すなわち、 Similarly, at step 710B, the second computer can compute the squared magnitude δ _B of the first permuted difference vector. The value of the squared magnitude δ _B of the first permuted difference vector is the first permuted difference vector with itself

is equal to the scalar product of

の各構成要素の値を二乗し、次いで、結果として得られた二乗を合計してもよく、すなわち、第二のコンピュータは、以下の式に従って、第一の置換された差分ベクトルの二乗の大きさδ_Ｂを計算してもよい。 A second computer stores the first permuted difference vector

and then sum the resulting squares, i.e., the second computer calculates the magnitude of the square of the first permuted difference vector according to the following formula: _δB may be calculated.

のスカラー積と等しく、すなわち、 At step 712A, the first computer can compute the squared magnitude σ _A of the fourth permuted difference vector. The value of the squared magnitude σ _A of the fourth permuted difference vector is the fourth permuted difference vector with itself

is equal to the scalar product of, i.e.

の各構成要素の値を二乗し、次いで、結果として得られた二乗を合計してもよく、すなわち、第一のコンピュータは、以下の式に従って、第四の置換された差分ベクトルの二乗の大きさσ_Ａを計算してもよい。 The first computer computes the fourth permuted difference vector

and then sum the resulting squares, i.e., the first computer calculates the magnitude of the square of the fourth permuted difference vector according to the following formula: σ _A may be calculated.

のスカラー積と等しい、すなわち、 Similarly, at step 712B, the second computer can compute the squared magnitude σ _B of the second permuted difference vector. The value of the squared magnitude σ _B of the second permuted difference vector is the second permuted difference vector with itself

is equal to the scalar product of

の各構成要素の値を二乗し、次いで、結果として得られた二乗を合計してもよく、すなわち、第二のコンピュータは、以下の式に従って、第四の置換された差分ベクトルの二乗の大きさσ_Ｂを計算してもよい。 A second computer generates a second permuted difference vector

and then sum the resulting squares, i.e., the second computer computes the magnitude of the square of the fourth permuted difference vector according to the following formula: σ _B may be calculated.

と第二のベクトル

のスカラー積を計算してもよい。いくつかの実施形態では、第一のコンピュータは、以下の式に基づいて、第一のベクトル

と第二のベクトル

のスカラー積を計算してもよい。 At step 714A, the first computer calculates the squared magnitude of the first masked vector α′, the squared magnitude of the first random vector ρ _A , the squared magnitude of the third permuted difference vector Based on the magnitude δ _A and the magnitude σ _A of the square of the fourth permuted difference vector, the first vector

and a second vector

You may compute the scalar product of In some embodiments, the first computer computes the first vector

and a second vector

You may compute the scalar product of

と第二のベクトル

のスカラー積を計算してもよい。いくつかの実施形態では、第二のコンピュータは、以下の式に基づいて、第一のベクトル

と第二のベクトル

のスカラー積を計算してもよい。 Similarly, at step 714B, the second computer calculates the squared magnitude β' of the second masked vector, the squared magnitude ρB of the second random vector, the squared magnitude _ρB of the first permuted vector Based on the squared magnitude δ _B and the squared magnitude σ _B of the second permuted vector, the first vector

and a second vector

You may compute the scalar product of In some embodiments, the second computer computes the first vector

and a second vector

You may compute the scalar product of

と第二のベクトル

のスカラー積を計算して、上述のようにスカラー積を正確に計算するため、第一のコンピュータおよび第二のコンピュータによって使用される方法を示すのが有用であり得る。 As a summary, the first vector

and a second vector

It may be useful to show the method used by the first computer and the second computer to compute the scalar product of and to compute the scalar product exactly as described above.

Recall that by definition the scalar product of two vectors is equal to the sum of the products of the components of each vector.

と第二のベクトル

のスカラー積を計算する。 As described above, the first computer computes a first masked vector squared magnitude α′, a first random vector squared magnitude ρ _A , a third permuted Using the squared magnitude of the vector δ _A and the squared magnitude σ _A of the fourth permuted vector, the first vector

and a second vector

Computes the scalar product of .

の二乗の大きさは、ベクトル

の二乗の構成要素の合計として定義される。 Again, given vector

The magnitude of the square of the vector

is defined as the sum of the squared components of

。第三の置換された差分ベクトルの二乗の大きさδ_Ａは、以下のように表され得る。 the third permuted difference vector, as defined above

. The squared magnitude δ _A of the third permuted difference vector can be expressed as:

Because of the commutative property of addition, summation is independent of permutation, so

By definition of the scalar product and the squared magnitude α' of the first masked vector, the squared magnitude _δA of the third permuted difference vector can be further expressed as:

Using similar reasoning, we can express the fourth permuted difference vector σ _A as follows.

Returning to the scalar product formula, replace the formulas for the squared magnitude of the third permuted difference vector δ _A and the fourth permuted difference vector squared magnitude σ _A .

Group by similar criteria

は、第一のベクトル

と第一のランダムなベクトル

の合計と等しいことを思い出されたい。 the first masked vector

is the first vector

and the first random vector

Recall that it is equal to the sum of

The scalar product formula can be simplified as follows.

と第二のベクトル

のスカラー積を計算するのに使用する式の精度を示す。 This means that the first computer, the first vector

and a second vector

Indicates the precision of the expression used to compute the scalar product of .

と第二のベクトル

のスカラー積を計算する。 Similarly, the second computer stores a second masked vector square magnitude β′, a second random vector square magnitude ρ _B , a first permuted difference vector square magnitude _The first _vector

and a second vector

Computes the scalar product of .

Similar reasoning can be used to determine the formula for the squared magnitude δ _B of the first permuted difference vector.

Similarly, the expression for the squared magnitude σ _B of the second permuted difference vector can be determined.

Returning to the scalar product formula, replace the formulas for the squared magnitude δ _B of the first permuted difference vector and the squared magnitude σ _B of the second permuted difference vector.

Group by similar criteria

は、第二のベクトル

と第二のランダムなベクトル

の合計と等しい。 the second masked vector

is the second vector

and a second random vector

equal to the sum of

The scalar product formula can be simplified as follows.

と第二のベクトル

のスカラー積を計算するのに正確であることを示す。 This is because the equation used by the second computer is the first vector

and a second vector

shows that it is accurate to compute the scalar product of .

）、第一のコンピュータは、支払取引や、第一のコンピュータのユーザまたは所有者のために安全な建物に入場することなど、第二のコンピュータと相互作用を実施してもよい（すなわち、図４の相互作用段階４１４の間）。スカラー積から導出され得る値の例として、第一のベクトル

と第二のベクトル

との間の角度、または第一のベクトル

と第二のベクトル

との間の角度のコサイン、または第一のベクトル

と第二のベクトル

との間の角度の別の三角関数、またはマッチスコア、距離メトリックなどのいくつかの他の値が挙げられる。 Returning to FIG. 7, at step 716A, the first computer may compare the scalar product or a value derived from the scalar product to a first predetermined threshold Τ _A , the scalar product or a value derived from the scalar product. If the value obtained exceeds a first predetermined threshold (i.e.

), the first computer may conduct interactions with the second computer, such as payment transactions or entering a secure building for the user or owner of the first computer (i.e., FIG. 4 interaction phase 414). As an example of values that can be derived from the scalar product, the first vector

and a second vector

the angle between or the first vector

and a second vector

the cosine of the angle between and the first vector

and a second vector

or some other value such as a match score, a distance metric, etc.

と第二のベクトル

との間の角度が５度以下であり、スカラー積から導出された値が第一のベクトル

と第二のベクトル

との間の角度のコサインである場合、第一の所定の閾値Τ_Ａは、

に等しくなり得る。スカラー積から導出された値が第一の所定の閾値Τ_Ａよりも大きい場合、第一のベクトル

と第二のベクトル

との間の角度差が５度以下であり、潜在的に一致を示すことを示す。 As an example, if the match criterion is the first vector

and a second vector

is less than or equal to 5 degrees, and the value derived from the scalar product is the first vector

and a second vector

A first predetermined threshold Τ _A , if the cosine of the angle between

can be equal to If the value derived from the scalar product is greater than a first predetermined threshold _ΤA , the first vector

and a second vector

is less than or equal to 5 degrees, potentially indicating a match.

および第二のベクトル

は、第一の生体認証テンプレートおよび第二の生体認証テンプレートにそれぞれ対応することができ、第一の所定の閾値Τ_Ａは、生体認証一致閾値であってもよい。 In some embodiments, the first vector

and a second vector

may correspond to the first biometric template and the second biometric template, respectively, and the first predetermined threshold Τ _A may be a biometric match threshold.

と第二のベクトル

との間の角度、または第一のベクトル

と第二のベクトル

の間の角度の三角関数）を、第二の所定の閾値Τ_Ｂと比較してもよく、スカラー積またはスカラー積から導出された値が、第二の所定の閾値を超える場合、（すなわち、

）第二のコンピュータは、支払い取引の実行、または安全な建物への第一のコンピュータのユーザのアクセスの許可など、第一のコンピュータと相互作用を実施してもよい（すなわち、図４の相互作用段階４１４の間）。 At step 716B, the second computer generates the scalar product or a value derived from the scalar product (eg, the first vector

and a second vector

the angle between or the first vector

and a second vector

( _{trigonometric} function of the angle between

4.) The second computer may perform interactions with the first computer, such as executing payment transactions or granting access to the user of the first computer to a secure building (i.e., the interaction of FIG. 4). during the working phase 414).

In some embodiments, the first predetermined threshold _ΤA and the second predetermined threshold _ΤB may not be equal, and either the first computer or the second computer performs the interaction. We show that we can have a higher threshold for However, in other embodiments it may be advantageous that the first predetermined threshold _ΤA and the second predetermined threshold _ΤB are equal.

In some embodiments, after comparing the scalar product or a value derived from the scalar product to a first predetermined threshold T _A , the first computer determines that the first computer is satisfied with the comparison and that the interaction A display message may be sent to the second computer indicating to proceed. Similarly, after comparing the scalar product or a value derived from the scalar product with a second predetermined threshold T _B , the second computer indicates that the second computer is satisfied with the comparison and proceeds to interact. A display message may be sent to the first computer. Alternatively or additionally, each of the first computer and/or the second computer displays an indicator when a suitable match is determined (e.g., green light) or not (e.g., red light). (eg, on a display).

The advantage of both computers comparing the scalar product to their respective thresholds is that both computers can confirm that the scalar exceeds their respective thresholds. For example, if only the first computer compares the scalar product to its respective threshold, the second computer determines that the first computer computed the scalar product correctly, and that the first computer determines that the scalar product is the first It must be relied upon to honestly demonstrate that it exceeds a predetermined threshold of . However, because both computers compute the scalar product and compare the scalar product or the value derived from the scalar product to their respective thresholds, each computer can confirm the computation and neither computer can fool the other. .

Returning to FIG. 4, after the scalar product calculation stage 412, the first computer and the second computer may perform an interaction at an interaction stage 414. FIG. An interaction is a scalar product, or a value derived from a scalar product (e.g., an angle, a heuristic evaluation of an angle, a cosine of an angle, a heuristic evaluation of a cosine of an angle, another distance metric, etc.), see FIG. exceed a predetermined threshold, as described in

The interaction of interaction stage 414 can take many forms. FIG. 8 shows a block diagram of a first exemplary interaction, payment transaction. FIG. 9 shows a block diagram of a second exemplary interaction, building access order.

FIG. 8 shows an exemplary transaction processing system. This transaction processing system may be used as part of a first exemplary interaction between first computer 804 and second computer 806 .

User 802 may be a customer operating a first computer 804 (eg, smart phone). A user 802 may wish to purchase goods or services from a resource provider (eg, a retailer operating the resource provider's computer 810). A resource provider may additionally operate an access terminal 808 (eg, a POS terminal). Resource provider 810 can communicate with issuer computer 816 via acquirer computer 812 and payment processing network 814 .

Payment processing network 814 may include data processing subsystems, networks, and operations used to support and deliver authorization services, exception file services, and clearing and settlement services. An exemplary payment processing network 814 may include VisaNet™. Payment processing networks such as VisaNet™ are capable of processing credit card transactions, debit card transactions, and other types of commercial transactions. Specifically, VisaNet™ includes the VIP system (Visa Integrated Payment System), which processes authorization requests, and the Base II system, which performs clearing and settlement services. The payment processing network can use any suitable wired or wireless network, including the Internet.

An exemplary payment transaction using privacy-preserving scalar product calculations based on biometric vectors can be described below. User 802 may bring first computer 804 into contact with access terminal 808 such that first computer 804 and access terminal 808 may communicate via, for example, near field communication. A first computer 804 can communicate to access a terminal 808 at which a user 802 wishes to pay for goods or services. The access terminal 808 is an access token or the like that can be used to establish a payment between a payment account associated with the user 802 managed by the issuer and a payment account associated with the resource provider managed by the acquirer. may request a certificate of

To obtain an access token, the first computer 804 and the second computer 806 store the first biometric vector stored on the first computer 804 and the biometric vector database on the second computer 806. A privacy preserving scalar product calculation may be performed to calculate a scalar product of the second biometric vectors obtained. First computer 804 and second computer 806 may perform the scalar product calculations described above with reference to FIGS. In calculating the scalar product, second computer 806 may compare the scalar product or a value derived from the scalar product to a predetermined threshold. If the scalar product or a value derived from the scalar product exceeds a predetermined threshold, the second computer 806 may transmit an access token to the first computer 804 (this transmission is between the first computer 804 and the second computer 804). computer 806).

After receiving the access token from second computer 806 , first computer 804 may send the access token and any additional access credentials to access terminal 808 . Resource provider computer 810, operating in communication with access terminal 808, then sends an authorization request containing the information received by access terminal 808 along with any additional transaction information (eg, transaction amount, retailer-specific information, etc.). A message may be generated and this information electronically transmitted to the acquirer computer 812 . Acquirer computer 812 may then receive, process, and forward the authorization request message to issuer computer 816 via payment processing network 814 for authorization. Publisher computer 816 may respond with an authorization response message. The authorization response message may be sent from issuer computer 816 to access terminal 808 via resource provider computer 810 , acquirer computer 812 and payment processing network 814 .

At the end of the day, or at other suitable time intervals, clearing and settlement processing between acquirer computer 812, payment processing network 814, and issuer computer 816 may occur for transactions.

FIG. 9 shows a second exemplary interaction according to some embodiments. User 902 wishes to access a secure facility, building 910 (ie, a secure apartment complex or government building). The door to building 910 is locked and controlled by resource provider computer 908 . To access building 910, user 902 must provide an access token or another credential to resource provider computer 908 via first computer 904 (eg, user 902's smart phone).

User 902 may have previously enrolled in a biometric system involving second computer 906 . A second computer 906 may store the biometric vector (second vector) corresponding to the user 902 in a biometric database. Similarly, first computer 904 may store a saved biometric vector (first vector) corresponding to user 902 on the secure element. Alternatively, the user 902 can use the first computer 904 to capture biometric instances, for example by pointing a smartphone camera at their eyes and taking a picture, and vectorizing the captured biometric instances. good too.

As part of a biometric authentication system, first computer 904 and second computer 906 can compute a scalar product of a first vector and a second vector to authenticate user 902 . After calculating the scalar product (as described above with reference to FIGS. 4-7), the second computer 906 processes the scalar product or values derived from the scalar product (eg, the first vector and the second vector and ) can be compared to a predetermined threshold. If the scalar product or a value derived from the scalar product exceeds a predetermined threshold, user 902 may be authenticated. Second computer 906 can then send an instruction to resource provider computer 908 instructing resource provider computer 908 to open the door and allow user 902 access to building 910 . can. Alternatively, second computer 906 can issue an access token to first computer 904 . First computer 904 can then provide this access token to resource provider 908 (eg, via short-range wireless communication or via a network such as the Internet or a LAN). Resource provider computer 908 can validate the access token and grant user 902 access to building 910 .

Any computer system described herein may utilize any suitable number of subsystems. In some embodiments, a computer system may include a single computer device and a subsystem may be a component of the computer device. In other embodiments, the computer system may include multiple computer devices, each subsystem having internal components.

A computer system, for example, may include multiple identical components or subsystems connected together by external interfaces or by internal interfaces. In some embodiments, computer systems, subsystems or devices may communicate over a network. In such instances, one computer can be considered a client and another computer a server, and each can be part of the same computer system. Clients and servers may each include multiple systems, subsystems, or components.

Any of the embodiments of the present invention use hardware (e.g., application specific integrated circuits or field programmable gate arrays) and/or have a generic programmable processor in a modular or integrated fashion. It should be understood that it can be implemented in the form of control logic using computer software. As used herein, a processor includes a single-core processor, a multi-core processor on the same integrated chip, or multiple processing units on a single circuit board or on a network. Based on the disclosure and teachings provided herein, a person of ordinary skill in the art will know other ways and/or methods of implementing embodiments of the present invention using hardware and combinations of hardware and software; will understand.

Any of the software components or functions described in this application may be written in, for example, Java, C, C++, C#, Objective-C, Swift, or Perl or Python using conventional or object-oriented techniques. It may be implemented as software code executed by a processor using any suitable computer language, such as a scripting language. The software code may be stored as a series of instructions or commands on a computer-readable medium for storage and/or transmission, suitable mediums including random access memory (RAM), read only memory (ROM), hard Including magnetic media such as drives or floppy disks, or optical media such as compact discs (CDs) or DVDs (digital versatile discs), flash memory, and the like. A computer readable medium may be any combination of such storage or transmission devices.

Such programs may also be coded and transmitted over wired, optical and/or wireless networks conforming to various protocols, including the Internet, using carrier signals adapted for transmission. Thus, computer readable media according to embodiments of the present invention may be produced using data signals encoded with such programs. A computer-readable medium encoded with the program code may be packaged with a compatible device or provided separately from another device (eg, via Internet download). Any such computer-readable medium may be on or within a single computer product (e.g., a hard drive, CD, or an entire computer system) and may reside on or within different computer products within a system or network. You may A computer system may include a monitor, printer or other suitable display for providing any of the results referred to herein to a user.

Any of the methods described herein can be implemented in whole or in part with a computer system including one or more processors that can be configured to perform the steps. Embodiments thus provide a computer system configured to perform the steps of any of the methods described herein, potentially using different components to perform each step or each group of steps. can contain. Although presented as numbered steps, the steps of the methods herein can be performed simultaneously or in a different order. Moreover, some of these steps may be used with some of other steps from other methods. Also, all or part of the steps may be optional. Additionally, and any method steps may be implemented using modules, circuits, or other means for performing those steps.

The specific details of particular embodiments may be combined in any suitable manner without departing from the spirit and scope of embodiments of the invention. However, other embodiments of the invention may include specific embodiments of individual aspects or specific combinations of these individual aspects. The foregoing descriptions of exemplary embodiments of the invention have been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the invention to the precise forms described, and many modifications and variations are possible in light of the above teachings. is. The embodiments were chosen and described in order to best explain the principles of the invention and its practical applications, thereby enabling those skilled in the art to find various alternatives in various embodiments and suitable for the particular applications contemplated. Modifications are used to enable the invention to be most optimally utilized.

A recitation of "a," "an," or "the" is intended to mean "one or more," unless specified to the contrary. The use of "or" means "inclusive or" and is not intended to mean "exclusive or," unless specifically stated to the contrary.

All patents, patent applications, publications and descriptions mentioned herein are hereby incorporated by reference in their entirety for all purposes. None of these are considered prior art.

Claims (20)

transmitting, by the first computer, to the second computer the first public key, the second public key, the first encrypted masked vector, and the first encrypted random vector wherein said first encrypted masked vector is a first masked vector encrypted using said first public key; said first encrypted masked vector the random vector is a first random vector encrypted using the second public key;
a third public key, a fourth public key, a second encrypted masked vector, and a second encrypted random vector from the second computer by the first computer; receiving, wherein the second encrypted masked vector is a second masked vector encrypted using the third public key; the encrypted random vector is a second random vector encrypted using the fourth public key;
receiving, by the first computer, from the second computer a third permuted encrypted difference vector and a fourth permuted encrypted difference vector; is encrypted using said first public key, permuted using a third permutation, and said fourth permuted encrypted difference vector is encrypted using the second public key and permuted using a fourth permutation;
a third permuted encrypted difference vector by decrypting, by the first computer, the third permuted encrypted difference vector using a first private key corresponding to the first public key; generating a difference vector;
a fourth permuted encrypted difference vector by decrypting, by the first computer, the fourth permuted encrypted difference vector using a second private key corresponding to the second public key; generating a difference vector with
Based on the first masked vector, the first random vector, the third permuted difference vector, and the fourth permuted difference vector, by the first computer, a first computing a scalar product of the vector of and a second vector. Computing the scalar product of the first vector and the second vector comprises:
calculating, by the first computer, the squared magnitude of the first masked vector;
calculating, by the first computer, the squared magnitude of the first random vector;
calculating, by the first computer, the squared magnitude of the third permuted difference vector;
calculating, by the first computer, the squared magnitude of the fourth permuted difference vector;
by said first computer said squared magnitude of said first masked vector, said squared magnitude of said first random vector, said squared magnitude of said third permuted difference vector; and calculating the scalar product of the first vector and the second vector based on the magnitude of the square of the fourth permuted difference vector. described method. by said first computer to said second computer said first public key, said second public key, said first encrypted masked vector, and said first encrypted Before sending the random vector, the method includes:
generating, by the first computer, the first random vector;
generating, by the first computer, the first masked vector by combining the first vector and the first random vector;
generating, by the first computer, a first permutation and a second permutation;
generating, by said first computer, a first key pair comprising said first public key and said first private key;
generating, by said first computer, a second key pair comprising said second public key and said second private key;
encrypting, by the first computer, the first masked vector using the first public key;
2. The method of claim 1, further comprising encrypting, by the first computer, the first random vector using the second public key. the first public key, the first private key, the second public key, the second private key, the third public key, a third private key corresponding to the third public key; 2. The method of claim 1, wherein the fourth public key and a fourth private key corresponding to the fourth public key are additive homomorphic encryption keys. by said first computer, from said second computer, said third public key, said fourth public key, said second encrypted masked vector, and said second encrypted Before receiving the random vector,
said second computer generating said second random vector;
said second computer generating said second masked vector by combining said second vector and said second random vector;
said second computer generating said third permutation and said fourth permutation;
said second computer generating a third key pair comprising said third public key and a third private key;
said second computer generating a fourth key pair comprising said fourth public key and a fourth private key;
the second computer encrypting the second masked vector using the third public key;
2. The method of claim 1, wherein said second computer encrypts said second random vector using said fourth public key. the second computer generates a third encrypted negation vector by encrypting the second negation vector using the first public key;
the second computer generates a third encrypted difference vector based on the first encrypted masked vector and the third encrypted negation vector;
the second computer generates a fourth encrypted negation vector by encrypting the second negation vector using the second public key;
the second computer generates a fourth encrypted difference vector based on the first encrypted random vector and the fourth encrypted negation vector;
said second computer using a third permutation and said third encrypted difference vector to generate said third permuted encrypted difference vector;
2. The second computer of claim 1, wherein said second computer uses a fourth permutation and said fourth encrypted difference vector to generate said fourth permuted encrypted difference vector. Method. comparing, by the first computer, the scalar product or a value derived from the scalar product to a first predetermined threshold;
further performing interaction with the second computer by the first computer if the scalar product or the value derived from the scalar product exceeds the first predetermined threshold. 2. The method of claim 1, comprising: 8. The method of claim 7, wherein the first vector and the second vector correspond to a first biometric template and a second biometric template, respectively, and the first predetermined threshold is a biometric match threshold. described method. by said first computer, from said second computer, said third public key, said fourth public key, said second encrypted masked vector, and said second encrypted after receiving the random vector and before receiving, by the first computer, the third permuted difference vector and the fourth permuted difference vector from the second computer; The method is
generating, by the first computer, a first encrypted negation vector by encrypting the first negation vector using the third public key;
generating, by the first computer, a first encrypted difference vector based on the second encrypted masked vector and the first encrypted negation vector;
generating, by the first computer, a second encrypted negation vector by encrypting the first negation vector using the fourth public key;
generating, by the first computer, a second encrypted difference vector based on the second encrypted random vector and the second encrypted negation vector;
generating, by the first computer, a first permuted encrypted difference vector using the first permutation and the first encrypted difference vector;
generating, by the first computer, a second permuted encrypted difference vector using the second permutation and the second encrypted difference vector;
further transmitting, by the first computer, the first permuted encrypted difference vector and the second permuted encrypted difference vector to the second computer; 2. The method of claim 1, comprising: said second computer decrypting said first permuted encrypted difference vector using a third private key corresponding to said third public key, thereby performing a first permuted generates a difference vector with
said second computer decrypting said second permuted encrypted difference vector using a fourth private key corresponding to said fourth public key, thereby obtaining a second permuted generates a difference vector with
the second computer, based on the second masked vector, the second random vector, the first permuted difference vector, and the second permuted difference vector, the computing the scalar product of one vector and the second vector;
the second computer comparing the scalar product or a value derived from the scalar product to a second predetermined threshold;
10. The second computer performs interaction with the first computer if the scalar product or the value derived from the scalar product exceeds the second predetermined threshold. the method of. a processor;
A non-transitory computer-readable medium coupled to the processor, comprising:
transmitting to a second computer the first public key, the second public key, the first encrypted masked vector, and the first encrypted random vector, said The first encrypted masked vector is a first masked vector encrypted using said first public key, said first encrypted random vector comprising: transmitting a first random vector encrypted using the second public key;
receiving from the second computer a third public key, a fourth public key, a second encrypted masked vector, and a second encrypted random vector, The second encrypted masked vector is a second masked vector encrypted using the third public key, and the second encrypted random vector is , a second random vector encrypted using the fourth public key;
receiving from the second computer a third permuted encrypted difference vector and a fourth permuted encrypted difference vector, wherein the third permuted encrypted difference vector is encrypted using said first public key, permuted using a third permutation, and said fourth permuted encrypted difference vector is encrypted using said second public key; receiving encrypted using a key and permuted using a fourth permutation;
generating a third permuted difference vector by decrypting the third permuted encrypted difference vector using a first private key corresponding to the first public key; ,
generating a fourth permuted difference vector by decrypting the fourth permuted encrypted difference vector using a second private key corresponding to the second public key; ,
a first vector and a second vector based on the first masked vector, the first random vector, the third permuted difference vector, and the fourth permuted difference vector; and a non-transitory computer-readable medium comprising code executable by said processor to perform a method comprising: computing a scalar product of . calculating the scalar product of the first vector and the second vector;
calculating the squared magnitude of the first masked vector;
calculating the squared magnitude of the first random vector;
calculating the squared magnitude of the third permuted difference vector;
calculating the squared magnitude of the fourth permuted difference vector;
the squared magnitude of the first masked vector, the squared magnitude of the first random vector, the squared magnitude of the third permuted difference vector, and the fourth 12. The first computer of claim 11, comprising calculating the scalar product of the first vector and the second vector based on the magnitude of the square of the permuted difference vector. before transmitting to the second computer the first public key, the second public key, the first encrypted masked vector, and the first encrypted random vector; In addition, the method includes:
generating the first random vector;
generating the first masked vector by combining the first vector and the first random vector;
generating a first permutation and a second permutation;
generating a first key pair including the first public key and the first private key;
generating a second key pair including the second public key and the second private key;
encrypting the first masked vector using the first public key;
12. The first computer of claim 11, further comprising encrypting said first random vector using said second public key. the first public key, the first private key, the second public key, the second private key, the third public key, a third private key corresponding to the third public key; 12. The first computer of claim 11, wherein said fourth public key and a fourth private key corresponding to said fourth public key are additive homomorphic encryption keys. before receiving from the second computer the third public key, the fourth public key, the second encrypted masked vector, and the second encrypted random vector; to the
said second computer generating said second random vector;
said second computer generating said second masked vector by combining said second vector and said second random vector;
said second computer generating said third permutation and said fourth permutation;
said second computer generating a third key pair comprising said third public key and a third private key;
said second computer generating a fourth key pair comprising said fourth public key and a fourth private key;
the second computer encrypting the second masked vector using the third public key;
12. The first computer of claim 11, wherein said second computer encrypts said second random vector using said fourth public key. the second computer generates a third encrypted negation vector by encrypting the second negation vector using the first public key;
the second computer generates a third encrypted difference vector based on the first encrypted masked vector and the third encrypted negation vector;
the second computer generates a fourth encrypted negation vector by encrypting the second negation vector using the second public key;
the second computer generates a fourth encrypted difference vector based on the first encrypted random vector and the fourth encrypted negation vector;
said second computer using a third permutation and said third encrypted difference vector to generate said third permuted encrypted difference vector;
12. The second computer of claim 11, wherein said second computer uses a fourth permutation and said fourth encrypted difference vector to generate said fourth permuted encrypted difference vector. first computer. The method includes:
comparing the scalar product or a value derived from the scalar product to a first predetermined threshold;
12. The method of claim 11, further comprising interacting with the second computer if the scalar product or the value derived from the scalar product exceeds the first predetermined threshold. first computer. 18. The method of claim 17, wherein the first vector and the second vector correspond to a first biometric template and a second biometric template, respectively, and the first predetermined threshold is a biometric match threshold. The first computer described. after receiving from the second computer the third public key, the fourth public key, the second encrypted masked vector and the second encrypted random vector and prior to receiving the third permuted difference vector and the fourth permuted difference vector from the second computer, the method comprising:
generating a first encrypted negation vector by encrypting the first negation vector using the third public key;
generating a first encrypted difference vector based on the second encrypted masked vector and the first encrypted negation vector;
generating a second encrypted negation vector by encrypting the first negation vector using the fourth public key;
generating a second encrypted difference vector based on the second encrypted random vector and the second encrypted negation vector;
generating a first permuted encrypted difference vector using the first permutation and the first encrypted difference vector;
generating a second permuted encrypted difference vector using the second permutation and the second encrypted difference vector;
12. The method of claim 11, further comprising transmitting the first permuted encrypted difference vector and the second permuted encrypted difference vector to the second computer. first computer. said second computer decrypting said first permuted encrypted difference vector using a third private key corresponding to said third public key, thereby performing a first permuted generates a difference vector with
said second computer decrypting said second permuted encrypted difference vector using a fourth private key corresponding to said fourth public key, thereby obtaining a second permuted generates a difference vector with
the second computer, based on the second masked vector, the second random vector, the first permuted difference vector, and the second permuted difference vector, the computing the scalar product of one vector and the second vector;
the second computer comparing the scalar product or a value derived from the scalar product to a second predetermined threshold;
20. The second computer performs interaction with the first computer if the scalar product or the value derived from the scalar product exceeds the second predetermined threshold. first computer.

Images